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Abstract 

The notion of aggregate signature has been motivated by applications and it enables any user to 
compress different signatures signed by different signers on different messages into a short signature. 
Sequential aggregate signature, in turn, is a special kind of aggregate signature that only allows a signer 
to add his signature into an aggregate signature in sequential order. This latter scheme has applications 
in diversified settings such as in reducing bandwidth of certificate chains and in secure routing protocols. 

Lu, Ostrovsky, Sahai, Shacham, and Waters (EUROCRYPT 2006) presented the first sequential aggre¬ 
gate signature scheme in the standard model. The size of their public key, however, is quite large (i.e., 
the number of group elements is proportional to the security parameter), and therefore, they suggested 
as an open problem the construction of such a scheme with short keys. 

In this paper, we propose the first sequential aggregate signature schemes with short public keys 
(i.e., a constant number of group elements) in prime order (asymmetric) bilinear groups that are secure 
under static assumptions in the standard model. Furthermore, our schemes employ a constant number 
of pairing operations per message signing and message verification operation. Technically, we start 
with a public-key signature scheme based on the recent dual system encryption technique of Lewko and 
Waters (TCC 2010). This technique cannot directly provide an aggregate signature scheme since, as we 
observed, additional elements should be published in a public key to support aggregation. Thus, our 
constructions are careful augmentation techniques for the dual system technique to allow it to support 
sequential aggregate signature schemes. We also propose a multi-signature scheme with short public 
parameters in the standard model. 
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1 Introduction 


Aggregate signature is a relatively new type of public-key signature (PKS) that enables any user to combine 
n signatures signed by n different signers on n different messages into a short signature. The concept of 
public-key aggregate signature (PKAS) was introduced by Boneh, Gentry, Lynn, and Shacham lITOl . and 
they proposed an efficient PKAS scheme in the random oracle model using bilinear groups. After that, 
numerous PKAS schemes were proposed using bilinear groups l|Tl|7l[8l[T5l|T6l|271|28l or using trapdoor 
permutations lISl I^ISTl . 

One application of aggregate signature is the certificate chains of the public-key infrastructure (PKI) 
oa. The PKI system has a tree structure, and a certificate for a user consists of a certificate chain from a root 
node to a leaf node, each node in the chain signing its predecessor. If the signatures in the certificate chain 
are replaced with a single aggregate signature, then bandwidth for signature transfer can be significantly 
saved. Another application is to the secure routing protocol of the Internet protocol ifTOl . If each router that 
participates in the routing protocol uses a PKAS scheme instead of a PKS scheme, then the communication 
overload of signature transfer can be dramatically reduced. Furthermore, aggregate signatures have other 
applications such as reducing bandwidth in sensor networks or ad-hoc networks, as well as in software 
authentication in the presence of software update [Tj. 

1.1 Previous Methods 

Aggregate signature schemes are categorized as full aggregate signature, synchronized aggregate signature, 
and sequential aggregate signature depending on the type of signature aggregation. They have also been 
applied to regular signatures in the PKI model and to ID-based signatures (with a trusted key server). 

The first type of aggregate signature is full aggregate signature, which enables any user to freely ag¬ 
gregate different signatures of different signers. This full aggregate signature is the most flexible aggregafe 
signafure since if does nol require any resfricfion on fhe aggregafion step (fhough resfricfion may be needed 
af limes for cerlain applications). However, there is only one full aggregate signature scheme, proposed by 
Boneh et al. ITOlfil. Since this scheme is based on the short signature scheme of Boneh et al. ifTTI . the sig¬ 
nature length it provides is also very short. However, the security of the scheme has just been proven in the 
idealized random oracle model and the number of pairing operations in the aggregate signature verification 
algorithm is proportional to the number of signers in the aggregate signature. 

The second type of aggregate signature is synchronized aggregate signature, which enables any user to 
combine different signatures with the same synchronizing information into a single signature. The synchro¬ 
nized aggregate signature has one drawback: all signers should share the same synchronizing information 
(such as a time clock or another shared value). Gentry and Ramzan jlSll introduced the concept of syn¬ 
chronized aggregate signature. They proposed an identity-based synchronized aggregate signature scheme 
using bilinear groups, and they proved its security in the random oracle model. We note that identity-based 
aggregate signature (IBAS) is an ID-based scheme and thus relies on a trusted server knowing all private 
keys (i.e., its trust structure is different from that in regular PKI). However, it also has a notable advantage 
in that it is not required to retrieve the public keys of signers in the verification algorithm since an identity 
string plays the role of a public key (this lack of public key is indicated in our comparison table as public 
key of no size!). Recently, Ahn et al. |T]| presented a public-key synchronized aggregate signature scheme 
without relying on random oracles. 

'Subsequent to our work, Hohenberger et al. (m proposed an identity-based aggregate signature scheme that supports full 
aggregation based on the recently introduced candidate multilinear maps of Garg et al. 03. 
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The third type of aggregate signature is sequential aggregate signature (SAS), which enables each signer 
to aggregate his signature to a previously aggregated signature in a sequential order. The sequential aggre¬ 
gate signature has the obvious limitation of signers being ordered to aggregate their signatures in contrast 
to the full aggregate signature and the synchronized aggregate signature. However, it has an advantage in 
that it is not required to share synchronized information among signers in contrast to the synchronized ag¬ 
gregate signature, and many natural applications lead themselves to this setting. The concept of sequential 
aggregate signature was introduced by Lysyanskaya, Micali, Reyzin, and Shacham 1291 . and they proposed 
a public-key sequential aggregate signature scheme using the certified trapdoor permutations in the random 
oracle model. Boldyreva et al. fT] presented an identity-based sequential aggregate signature scheme in 
the random oracle model using an interactive assumption, but it was shown by Hwang et al. Il20ll that their 
construction is not secure. After that, Boldyreva et al. f8] proposed a new identity-based sequential aggre¬ 
gate signature by modifying their previous construction and proved its security in the generic group model. 
Recently, Gerbush et al. ifT^ showed that the modified IBAS scheme of Boldyreva et al. fS| is secure under 
static assumptions using the dual form signatures framework. 

The first sequential aggregate signature scheme without random oracle idealization was proposed by 
Lu et al. Il27ll2^ . They converted the PKS scheme of Waters iMl to the PKAS scheme and proved its 
security under the well known CDH assumption. However, their scheme has a drawback since the number 
of group elements in a public key is proportional to the security parameter (for a security of they need 
160 elements, or about 80 elements in a larger group); so they left as an open question how to design 
a scheme with shorter public keys. Schroder proposed a PKAS scheme with short public keys relying 
on the Camenisch-Lysyanskaya signature scheme |j33l; however the scheme’s security is proven under an 
interactive assumption (which, typically, is a relaxation used when designs based on static assumptions are 
hard to find)ll Therefore, the construction of an SAS scheme with short public keys without relaxations 
such as random oracles or interactive assumptions was left as an open question. 

1.2 Our Contributions 

Challenged by the above question, the motivation of our research is to construct an efficient SAS scheme 
secure in the standard model (i.e., without employing assumptions such as random oracle or interactive 
assumptions as part of the proof) with short public keys (e.g., a constant number of group elements). To 
achieve this goal, we use the PKS scheme derived from the identity-based encryption (IBE) scheme, which 
adopts the innovative dual system encryption techniques of Waters II261I35II . That is, an IBE scheme is first 
converted to a PKS scheme by the clever observation of Naor fQI. The PKS schemes that adopt the dual 
system encryption techniques are the scheme of Waters 1351, which includes a random tag in a signature, and 
the scheme of Eewko and Waters l26l . which does not include a random tag in a signature. The scheme of 
Waters is not appropriate to aggregate signatures since the random tags in signatures cannot be compressed 
into a single value. The scheme of Eewko and Waters in composite order groups is easily converted to 
an aggregate signature scheme if an element in Gp, is moved from a private key to a public key, but it is 
inefficient because of composite order groupsH 

^Gerbush et al. (m showed that a modified Camenisch-Lysyanskaya signature scheme in composite order groups is secure 
under static assumptions. However, it is unclear whether the construction of Schroder can be directly applied to this modified 
Camenisch-Lysyanskaya signature scheme. The reason is that aggregating Gpj and Gp, subgroups is hard and a private key 
element §2,3 G cannot be generated by the key generation algorithm of an aggregate signature scheme. Additionally, our 

work and findings are independent of the work of Gerhush et al. 

^We can safely move the element in Gp, from a private key to a public key since it is always given in assumptions. Lewko 
obtained a prime order IBE scheme hy translating the Lewko-Waters composite order IBE scheme using the dual pairing vector 
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Table 1: Comparison of aggregate signature schemes 


Scheme 

Type 

ROM 

KOSK 

PK Size 

AS Size 

Sign Time 

Verify Time 

Assumption 

BGLS m 

Full 

Yes 

No 

Ikp 

Ikp 

IE 

/P 

CDH 

GR 021 

IB, Sync 

Yes 

No 

- 

2kp -h X 

3E 

3PH-/E 

CDH 

AGH H] 

Sync 

Yes 

Yes 

Ikp 

2kp + 32 

6E 

4PH-/E 

CDH 

AGH H] 

Sync 

No 

Yes 

Ikp 

2kp + 32 

lOE 

8PH-/E 

CDH 

LMRs 

Seq 

Yes 

No 

Ikf 

Ikf 

IE 

IE 

cert TDP 

Neven llJTI 

Seq 

Yes 

No 

Ikf 

\kf + 2X 

IE H- 2/M 

2/M 

uncert CEP 

BGOY H 

IB, Seq 

Yes 

No 

- 

3kp 

4PH-/E 

4PH-/E 

Interactive 

GLOW UB 

IB, Seq 

Yes 

No 

- 

5kf 

lOP H- 2/E 

lOP H- 2/E 

Static 

LOSSW 1271 

Seq 

No 

Yes 

2Xkp 

2kp 

2PH-4k/M 

2P H- 2A/M 

CDH 

Schroder 13^ 

Seq 

No 

Yes 

2kp 

4kp 

/P H- 2/E 

IP + IE 

Interactive 

Ours 

Seq 

No 

Yes 

llkp 

Skp 

8P H- 5/E 

8P H- 4/E 

Static 

Ours 

Seq 

No 

Yes 

nkp 

^kp 

6P H- 6/E 

6P H- 3/E 

Static 


ROM = random oracle model, KOSK = certified-key model, IB = identity based 

X = security parameter, kp,kf = the bit size of elements for pairing and factoring, I = the number of signers 
P = pairing computation, E = exponentiation, M = multiplication 


Therefore, we start the construction from the IBE scheme of Lewko and Waters (LW-IBE) 12^ in the 
prime order (asymmetric) bilinear groups. However, this EW-PKS scheme, which is directly derived from 
the EW-IBE scheme, is not easily converted to an SAS scheme (as far as we see). The reason is that we 
need a PKS scheme that supports multi-users and public re-randomization to construct an SAS scheme by 
using the randomness reuse technique of Eu et al. |[27l . but the EW-PKS scheme does not support these 
two properties. Technically speaking, this directly converted EW-PKS scheme does not support multi¬ 
users and public re-randomization since group elements g,u,h G G cannot be published in a public key. 
To resolve this problem, we devised two independent solutions. Our first solution for this problem is to 
randomize the verification algorithm of the EW-PKS scheme and publish g,u,h G G in the public key. That 

is, the verification components are additionally multiplied by to prevent the verification of invalid 

signatures. Our second solution for this problem is to randomize the group elements of the public key. That 

it, we publish gw/, uw/ , hw/ G G in the public key instead of g,u,h G G. 

Here we first construct two PKS schemes in prime order (asymmetric) bilinear groups that support multi¬ 
users and public re-randomization by applying our two solutions to the EW-PKS scheme, and we prove their 
security by using the dual system encryption technique. Next, we convert the modified PKS schemes fo SAS 
schemes wifh short public keys by using fhe randomness reuse fechnique, and fhen we prove fheir securify 
based on fhe fradifional sfafic assumptions wifhouf random oracles. Additionally, we presenf an efficienl 
mulfi-signafure scheme based on our modified PKS scheme. Table[I]gives fhe comparison of pasf aggregafe 
signafure schemes wifh ours. 

spaces 1251 . One may consider to construct an aggregate signature scheme using this IBE scheme. However, it is not easy to 
aggregate individual signatures since the dual orthonormal basis vectors of each users are randomly generated. 
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1.3 Additional Related Work 


There are some works on aggregate signature schemes that allow signers to communicate with each other 
or schemes that compress only partial elements of a signature in the aggregate algorithm |[2ll4l lT^[T^ . 
Generally, communication resources of computer systems are very expensive compared with computation 
resources. Thus, it is preferred to perform several expensive computational operations rather than one single 
communication exchange. Additionally, a signature scheme with added communications does not corre¬ 
spond to a pure PKS scheme, but corresponds more to a multi-party protocol. In addition, PKS schemes 
that compress just partial elements of signatures cannot be considered aggregate signature schemes since 
the total size of signatures is still proportional to the number of signers. 

Another research area related to aggregate signature is multi-signature l|6l|2Tl|27l. Multi-signature is 
a special type of aggregate signature in which all signers generate signatures on the same message, and 
then any user can combine these signatures into a single signature. Aggregate message authentication code 
(AMAC) is the symmetric key analogue of aggregate signature: Katz and Lindell introduced the concept 
of AMAC and showed that it is possible to construct an AMAC scheme based on any message authentication 
code scheme. 

2 Preliminaries 

In this section, we define asymmetric bilinear groups and introduce the complexity assumptions for our 
schemes. The description of LW-IBE and LW-PKS schemes is given in Appendix lAl 

2.1 Asymmetric Bilinear Groups 

Let G,G and Gr be multiplicative cyclic groups of prime order p. Let g and g be generators of G and G, 
respectively. The bilinear map c : G x G —> Gj has the following properties: 

1. Bilinearity: Vn € G,Vv G G and \fa,b G Zp, e{u‘‘,v^) = e{u,vY^. 

2. Non-degeneracy: e{g,g) Y that is, e{g,g) is a generator of G^. 

We say that GjGjGy are bilinear groups with no efficiently computable isomorphisms if the group opera¬ 
tions in G,G, and Gj as well as the bilinear map e are all efficiently computable, but there are no efficiently 
computable isomorphisms between G and G. 

2.2 Complexity Assumptions 

We employ four assumptions in prime order bilinear groups. The SXDH and DBDH assumptions have been 
used extensively, while the LWl and LW2 assumptions were introduced by Lewko and Waters 12^ . 

Assumption 2.1 (Symmetric eXtemal Diffie-Hellman, SXDH). Let {p,G,G,GT,e) be a description of the 
asymmetric bilinear group of prime order p. Let g,g be generators o/G,G respectively. The assumption is 
that if the challenge values 

D = {{p,G,G,GT,e),g,g,t,Y’) and T, 

are given, no PPT algorithm B can distinguish T = Tq= from T = Ti = with more than a negligible 
advantage. The advantage of B is defined as {X) = |Pr[H(D,ro) = 0] —Pr[H(D,ri) = 0]| where 

the probability is taken over the random choice ofa,b,c G Zp. 
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Assumption 2.2 (LWl). Let {p,G,G,GT-,e) be a description of the asymmetric bilinear group of prime 
order p with the security parameter X. Let g,g be generators ofG, G respectively. The assumption is that if 
the challenge values 




are given, no PPT algorithm B can distinguish T = Tq= from T = T\= ^ with more than a negligible 
advantage. The advantage of B is defined as Adv^^{X) = \Pr[B{D,Tf) = 0] — Pr[;S(D, Ti) = 0]| where the 
probability is taken over the random choice ofa,b,c,d G Zp. 

Assumption 2.3 (LW2). Let {p,G,G,GT,e) be a description of the asymmetric bilinear group of prime 
order p. Let g,g be generators ofG,G respectively. The assumption is that if the challenge values 


D — {{p,G,G,GT,e),g,g‘‘ 




• g,8 , 


andT, 


are given, no PPT algorithm B can distinguish T = Tq= g^^ from T = T\= g‘^ with more than a negligible 
advantage. The advantage ofB is defined as Adv^^{X) = | Pr[B{D, Tq) = 0] — Pr[B{D, Ti) = 0] | where the 
probability is taken over the random choice ofa,b,c,x,d € Zp. 

Assumption 2.4 (Decisional Bilinear Diffie-Hellman, DBDH). Let {p,G,G,GT,e) be a description of the 
asymmetric bilinear group of prime order p. Let g,g be generators ofG,G respectively. The assumption is 
that if the challenge values 


D = ((/7,G,G,Gr,e),g,g",g^,/,|,g",|*,|"') and T, 

are given, no PPT algorithm B can distinguish T = Tq = e{g,gY^‘^ from T = Ti= e{g,gY with more than a 
negligible advantage. The advantage ofB is defined as Adv^^^^(X) = \ Pr[;S(D, To) = 0] —Pr[0(D, Ti) = 0] | 
where the probability is taken over the random choice of a, b,c,d G Zp. 

The LW1 and LW2 assumptions are falsifiable since they are not interactive (or even ^-type) assumptions 
and they obviously hold in the generic bilinear group model since the target polynomial in T is independent 
of given polynomials in D. 

3 Public-Key Signature 

In this section, we propose two PKS schemes with short public keys and prove their security under static 
assumptions. 

3.1 Definitions 

The concept of PKS was introduced by Diffie and Heilman lfT3l . In PKS, a signer first generates a public 
key and a private key, and then he publishes the public key. The signer generates a signature on a message 
by using his private key. A verifier can check fhe validify of fhe signer’s signafure on fhe message by using 
fhe signer’s public key. A PKS scheme is formally defined as follows: 

Definition 3.1 (Public-Key Signature). A public key signature (PKS) scheme consists of three PPT algo¬ 
rithms KeyGen, Sign, and Verify, which are defined as follows: 
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KeyGen{\^). The key generation algorithm takes as input the security parameters 1^ and outputs a public 
key PK and a private key SK. 

Sign{M,SK). The signing algorithm takes as input a message M and a private key SK and outputs a 
signature O. 

Verify {(j,M,PK). The verification algorithm takes as input a signature O, a message M, and a public key 
PK and outputs either 1 or 0, depending on the validity of the signature. 

The correctness requirement is that for any (PK,SK) output by KeyGen and any M € Ai, we have Verify 
{Sign{M ,SK),M,PK) = 1. We can relax this notion to require that the verification is correct with over¬ 
whelming probability over all the randomness of the experiment. 

The security model of PKS is defined as existential unforgeability under a chosen message attack (EUF- 
CMA), and this was formally defined by Goldwasser et al. ifTTl . In this security model, an adversary adap¬ 
tively requests a polynomial number of signatures on messages through the signing oracle, and he finally 
outputs a forged signature on a message M*. If the message M* was not queried to the signing oracle and 
the forged signature is valid, then the adversary wins this game. The security of PKS is formally defined as 
follows: 

Definition 3.2 (Security). The security notion of existential unforgeability under a chosen message attack 
is defined in terms of the following experiment between a challenger C and a PPT adversary A: 

1. Setup: C first generates a key pair {PK,SK) by running KeyGen, and gives PK to A 

2. Signature Query: Then A, adaptively and polynomially many times, requests a signature query on 
a message M under the challenge public key PK, and receives a signature o generated by running 

Sign. 

3. Output: Finally, A outputs a forged signature a* on a message M*. C then outputs 1 if the forged 
signature satisfies the following two conditions, or outputs 0 otherwise: 1) Verify {o* ,M* ,PK) = 1 
and 2) M* was not queried by A to the signing oracle. 

The advantage of A is defined as Adv^^{X) = Pr[C = 1] where the probability is taken over all the ran¬ 
domness of the experiment. A PKS scheme is existentially unforgeable under a chosen message attack if all 
PPT adversaries have at most a negligible advantage in the above experiment (for a large enough security 
parameter). 

3.2 Construction 

We construct PKS schemes with a short public key that will be augmented to support multi-users and public 
re-randomization. To construct a PKS scheme with a short public key, we may convert the LW-IBE scheme 
||26]| in prime order groups to the EW-PKS scheme in prime order groups by using the transformation of 
Naor f9]. However, this directly converted EW-PKS scheme does not support multi-users and public re¬ 
randomization since it is necessary to publish additional public key components: Specifically, we need to 
publish an element g for multi-users and elements g,u,h for public re-randomization. Note that g,uA 
already in the public key, but g,u,h are not. One may try to publish g,u,h in the public key, but a technical 
difficulty arises in this case in that the simulator of the security proof can easily distinguish from the normal 


verification algorithm to the semi-functional one, without using an adversary. Thus the simulator of Lewko 
and Waters sets the CDH value into the elements g, u, h to prevent the simulator from creating these elements. 

To solve this problem, we devise two independent solutions. The first solution allows a PKS scheme 
to safely publish elements g,u,h in the public key for multi-users and public re-randomization. The main 
idea is to additionally randomize the verification components using in the verification algorithm. 

If a valid signature is given in the verification algorithm, then the additionally added randomization ele¬ 
ments are canceled. Otherwise, the added randomization components prevent the verification of 

an invalid signature. Therefore, the simulator of the security proof cannot detect the changes of the verifi¬ 
cation algorithm even if g,u,h are published, since the additional elements prevent the signature 

verification. 

Our second solution for this problem is to publish randomized components gWj*, uw \‘‘, hw\^ that are ad¬ 
ditionally multiplied with random elements rather than directly publishing g,u,h. In this case, the simulator 
can create these elements since the random exponents Cg,Cu,Ch can be used to cancel out the CDH value 
embedded in the elements g,u,h. Additionally, the simulator cannot detect the changes of verification com¬ 
ponents for the forged signature because of the added elements Wj^, This solution does not increase 

the number of group elements in the signatures, rather it increases the number of public keys since additional 
elements W 2 , , w ‘^“, , w'^'" should be published. 


3.2.1 Our PKSl Scheme 


Our first PKS scheme in prime order bilinear groups is described as follows: 


PKSl.KeyGen(l^) : This algorithm first generates the asymmetric bilinear groups G, G of prime order p of 
bit size 0(A). It chooses random elements g,w G G and g,v G G. Next, it chooses random exponents 
Vi, V 2 , V 3 ) ^ 1 ) ^ 2 , ^3 C and sets t = -|- Vi ^ -I- V 2 ^ 3 , tt = ^2 + V 3 ^ 3 . It selects random exponents 

a,x,y G Zp and sets u = g^,h = g^,u = g^,h = g^,wi = w*^^,W 2 = w*^,W 3 = It outputs a private 
key SK = a and a public key as 


PK=(^ (p,G,G,Gr,e), g,u,h, wi,W2,W3,w, g,g^\g''^,g \ 

h,h''',h''^ ,h-\ v,v''^W, 0 = e(g,g)“). 


PKSl.SignCMjS'K): This algorithm takes as input a message M G {0,1}^ where k < X and a private key 
SK = a. It selects random exponents r,ci,C 2 G Zp and outputs a signature as 

=g“(A)X‘>W^i,2=>v^Wi,3=w^‘,Wi,4 = w"', 

1 ^ 2,1 = , 1 ^ 2,2 = >^ 2 ^) 1^2,3 = >V3^,ik2,4 = ^ • 

PKSl.Verify(a,M,PK): This algorithm takes as input a signature a on a message M G {0,1}^ under a 
public key PK. It first chooses random exponents t ,s\,S 2 ^'lip and computes verification components 
as 

vi.i =g\via = (i''‘)'v'‘,^i,3 = 

V2,i = {u^hy,v2a = ,V2,3 = = {{u-y’^try*{v-^y\ 

Next, it verities that ^i,;)' 0^=1 ^(W^ 2 ,o = Dh If this equation holds, then it outputs 

1. Otherwise, it outputs 0. 
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We note that the inner produet of (, ^2, ^3, 1 ) and ( 1 , Vi, V2, — "f) is zero since T = + Vi ^2 + V2 (/>3, 

and the inner product of (0i,^2)^3) 1 ) and ( 0 , 1 , V3) — ^) is zero since 71 = ^2 + ^3^3. Using these facts, the 
correctness of PKS is easily obtained from the equation 

Y\e{Wi,i,Vu)-Y\e{W2,i,V2,i)-^ =e{g°^{u^h)\i)-e{g^ = O!. 

i —1 i—l 


3 . 2.2 Our PKS2 Scheme 

Our second PKS scheme in prime order bilinear groups is described as follows: 

PKS2.KeyGen(U) : This algorithm first generates the asymmetric bilinear groups G,G of prime order p 
of bit size 0(A). It chooses random elements g,w G G and g G G. Next, it selects random exponents 
V, ^ and sets T = + v^ 2 - It also selects random exponents a,x,y G Zp and sets u = g^,h = 

gy,u = g^,h = jWi = w‘^^,W 2 = It outputs a private key SK = {a,g,u,h) and a public key by 
selecting random values Cg,Cu,Ch G Zp as 




PK = ( (pjGjGjGrjg), gWy^,W2^,MWy“,W 2 ",, hw^,W2 


wi,W 2 ,w, g,g^,g ^ u,u^,u ^ h,h^,h \ 0 = e(g,g)“ ). 


PKS2.Sign(M,5'K): This algorithm takes as input a message M £Zp and a private key SK = {a,g,u,h) 
with PK. It selects random exponents r,ci,C 2 G Zp and outputs a signature as 

a = ( Wi ,1 = g^{u^hyw \^, Wi,2 = , Wi,3 = , 

W 2 J = g'^w^, W2,2 = W2,3 = ^ . 

PKS2.Verify(a,M,PK): This algorithm takes as input a signature a on a message M G Zp under a public 
key PK. It chooses a random exponent t G Zp and computes verification components as 

Vu=g‘, Ul,2 = (g'')^ Ui,3 = (r7, 

U2J = (ii^hy, V2,2 = V2,3 = ((ii-y^h-J. 

Next, it verifies fhaf OLi ' 11?= 1 ^(II^ 2 ,o =Q.‘. If fhis equation holds, fhen if oufpufs 
1. Ofherwise, if oufpufs 0. 

We nofe fhaf fhe inner producf of (0i,^ 2 ,1) (1, V, — t) is zero since T = + v^ 2 - Using fhis facf, 

fhe correcfness of PKS is easily obfained from fhe following equation 

fle{Wij,Viy-fle{W2j,V2y-^ =eig^ii/^h)ygy-eigy{u^hy)-^ = QA 
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3.3 Security Analysis 

We prove the security of our PKS schemes without random oracles under static assumptions. To prove 
the security, we use the dual system encryption technique of Lewko and Waters 1261 . The dual system 
encryption technique was originally developed to prove the full-model security of IBE and its extensions, but 
it also can be used to prove the security of PKS by using the transformation of Naor f9]. Note that Gerbush 
et al. llThll developed the dual form signature technique that is a variation of the dual system encryption 
technique to prove the security of their PKS schemes. 

3.3.1 Analysis of PKS 1 

Theorem 3.3. The above PKSl scheme is existentially unforgeable under a chosen message attack if the 
SXDH, LW2, DBDH assumptions hold. That is, for any PPT adversary A, there exist PPT algorithms 
such that Adv^^{X) <Adv^^^’^^{X) + qAdv^\X)+Adv’^^^{X) where q is the maximum num¬ 
ber of signature queries of A. 

Proof To use the dual system encryption technique of Lewko and Waters Ehl . we first describe a semi¬ 
functional signing algorithm and a semi-functional verification algorithm. They are not used in a real system; 
rather, they are used in the security proof. When comparing our proof to that of Lewko and Waters, we 
employ a different assumption since we have published additional elements g,u,h used in aggregation (in 
fact, direct adaptation of the earlier technique will break the assumption and thus the proof). A crucial idea 
in our proof is that we have added elements v, , v^^ in the public key that are used in randomization of the 
verification algorithm. In the security proof when moving from normal to semi-functional verification, it is 
the randomization elements v,v^^,v^^ that are expanded to the semi-functional space; this enables deriving 
semi-functional verification as part of the security proof under our assumption, without being affected by 
the publication of the additional public key elements used for aggregation. 

Lor the semi-functional signing and verification, we set / = g^f , / = g^f where yy is a random exponent 
in Zp. 

PKSl.SignSF. The semi-functional signing algorithm first creates a normal signature using the private key. 
Let (VP/ j,..., VP/ 4 ) be the normal signature of a message M with random exponents r,ci , C 2 G Zp. It 
selects random exponents Sk,Zk G Zp and outputs a semi-functional signature as 

a = ( VV^i.i = Wi, (/viV3^v2y«^ ^ VV^/,2(r''^)^*"*, iTi,3 = VV^/,3r*"*, W^i.4 = < 4 , 

M^ 2,1 = VT 2,2 = ^2,3 = VT2'3/^ W^2,4 = ^{4 ) • 

PKSl.VerifySF. The semi-functional verification algorithm first creates normal verification components 
using the public key. Let {y[ j,..., V 2 4 ) be the normal verification components with random exponents 
t,s\,S 2 G Zp. It chooses random exponents Sc,Zc G Zp and computes semi-functional verification 
components as 

Fi.i = V^i'1, V/1,2 = V//, 2 , V1.3 = V[J^f V^i ,4 = Vl,{f-^r% 

V 2.1 = Vi,, V 2,2 = V^2,3 = V 2 ,A = 

Next, it verifies fhaf H/Li ' Il/Li e{W 2 j,V 2 j)~^ = Tl’. If this equation holds, then it outputs 

1. Otherwise, it outputs 0. 
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Note that if the semi-funetional verifieation algorithm verifies a semi-funetional signature, then the left part 
of the above verifieation equation eontains an additional random element e{f ^ If Zk = Zc, then 

the semi-funetional verifieation algorithm sueeeeds. In this ease, we say that the signature is nominally 
semi-funetional. 

The seeurity proof uses a sequenee of games Go,Gi,G 2 , and G 3 : The first game Go will be the original 
seeurity game and the last game G 3 will be a game sueh that an adversary A has no advantage. Formally, 
the hybrid games are defined as follows: 

Game Go. This game is fhe original seeurity game. In fhis game, fhe signafures fhaf are given fo A are 
normal and fhe ehallenger use fhe normal veriheafion algorifhm Verify fo eheek fhe validity of fhe 
forged signafure of A. 

Game Gi. We firsl modify fhe original game fo a new game Gi. This game is almost identieal to Go exeept 
that the challenger uses the semi-funetional verification algorithm VerifySF to check the validity of 
the forged signature of A. 

Game G 2 . Next, we change Gi to a new game G 2 . This game is the same as the Gi except that the 
signatures that are given to A will be semi-funetional. At this moment, the signatures are semi- 
funetional and the challenger uses the semi-funetional verification algorithm VerifySF to check the 
validity of the forged signature. Suppose that A makes at most q signature queries. For the security 
proof, we define a sequence of hybrid games Gi o, • • • ,Gi^^:,... ,Gi^^ where Gi^o = Gi. In Gi^^;, a 
normal signafure is given fo A for all j-th signafure queries such fhaf j > k, and a semi-funcfional 
signafure is given fo A for all j-th signafure queries such fhaf j < k. If is obvious fhaf Gi,^ is equal fo 
G 2 . 

Game G 3 . Finally, we define a new game G 3 . This game differs from G 2 in fhaf fhe challenger always 
rejecfs fhe forged signafure of A. Therefore, fhe advanfage of fhis game is zero since A cannof win 
fhis game. 

For fhe securify proof, we show fhe indisfinguishabilify of each hybrid game. We informally describe 
fhe meaning of each indisfinguishabilify as follows: 

• Indisfinguishabilify of Gq and Gi: This properfy shows fhaf A cannof forge a semi-funcfional signa- 
fure if if is only given normal signafures. Thaf is, if A forges a semi-funcfional signafure, fhen if can 
disfinguish Go from Gi. 

• Indisfinguishabilify of Gi and G 2 : This properfy shows fhaf fhe probabilify of A forging a normal 
signafure is almost the same when the signatures given to the adversary are changed from a normal 
type to a semi-funetional type. That is, if the probability of A forging a normal signature is different 
in Gi and G 2 , then A can distinguish the two games. 

• Indistinguishability of G 2 and G 3 : This property shows that A cannot forge a normal signature if it is 
only given semi-funetional signatures. That is, if A forges a normal signature, then it can distinguish 
G 2 from G 3 . 

The security (unforgeability) of our PKS scheme follows from a hybrid argument. We first consider an 
adversary A attacking our PKS scheme in the original security game Gq. By the indistinguishability of Gq 
and Gi, we have that A can forge a normal signature with a non-negligible £ probability, but it can forge 
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a semi-functional signature with only a negligible probability. Now we should show that the e probability 
of A forging a normal signature is also negligible. By the indistinguishability of Gi and G 2 , we have that 
the £ probability of A forging a normal signature is almost the same when the signatures given to A are 
changed from a normal type to a semi-functional type. Finally, by the indistinguishability of G 2 and G 3 , we 
have that A can forge a normal signature with only a negligible probability. Summing up, we obtain that the 
probability of A forging a semi-functional signature is negligible (from the indistinguishability of Gq and 
Gi) and the probability of A forging a normal signature is also negligible (from the indistinguishability of 
G 2 and G 3 ). 

Let Adv^^ be the advantage of A in Gj for j = 0,... ,3. Let Adv^‘’* be the advantage of A in Gi,;^ 
for ^ = 0,... ,^. It is clear that Adv^” = Adv^^‘^(A), Adv^‘’° = Adv^', Adv^'’'^ = Adv^^, and AdvJ = 0. 
From the following three Lemmas, we prove that it is hard for A to distinguish G,_i from G, under the given 
assumptions. Therefore, we have that 

2 3 

Ady^/^{X) = AdvJ* + £ (Adv^ - Adv^) - Adv^' < £ |Adv5^‘ - Adv^] 

!=1 1=1 

= Adv™(A) + £ Adv^f (A) + Advgf^(A). 

jt=i 


This completes our proof. □ 

Lemma 3.4. If the SXDH assumption holds, then no polynomial-time adversary can distinguish between 
Go and Gi with non-negligible advantage. That is, for any adversary A there exists a PPT algorithm Bi 
such that \Adv^ —Adv^ | = Adv^™^(A). 

Proof Before proving this lemma, we introduce the parallel-SXDH assumption as follows: Let (p, G, G, Gy, e) 
be a description of the asymmetric bilinear group of prime order p. Let be generators of G,G respec¬ 
tively. The assumption is stated as following: given a challenge tuple D = {{p,G,G,GT,e),k,k‘‘ 
and T = (Ai,A 2 ), it is hard to decide whether T = (k‘“^^ ,k‘“^^) or T = ilA^ ,lA‘^) with random choices of 
a,di,d 2 ,d^,d 4 € 'Lp. It is easy to prove by simple hybrid arguments that if there exists an adversary that 
breaks the parallel-SXDH assumption, then it can break the SXDH assumption. Alternatively, we can 
tightly prove the reduction using the random self-reducibility of the Decisional Diffie-Hellman assumption. 

Suppose there exists an adversary A that distinguishes between Gq and Gi with non-negligible ad¬ 
vantage. Simulator B\ that solves the parallel-SXDH assumption using A is given: a challenge tuple 
D = {{p,G,G,GT,e),k,kX,lA\lA^) and T = {Ai,Ai) where T = To = (a0,a 0) = (r^i,r^2) or T = 

T\ = (A},A 2 ) = (k“^i+^3^^a^t2+rf4^ Then Bi that interacts with A is described as follows: B\ first chooses 
random exponents Vi,V 2 ,(j>i,(j> 2 ,(l >3 € ^p, then it sets r = (j)i Vi ^2 + V 2 <t> 3 - It selects random exponents 
ct,x,y,yg,yv,yw G Zp and sets g = k^n,u = g^,h = g^,wi = k^'’'^\w 2 = k^'“‘^,W 3 = ,w = k^'^,g = Pii,u = 
g^,h = g^. It implicitly sets V 3 = a, tt = ^2 + ti ^3 and publishes a public key PK as 


7 A. A-Vi — T -^Vi — T 

g, u,h, Wl,W2,W3,W, g,g fg fg ,u,u\ufu , 

h, h''fh''fh-f v = p\v^^ = {ky\r^ = a 


e{g,gr. 


It sets a private key SK = a. Additionally, it sets f = k,f = kfor the semi-functional signature and verifi¬ 
cation. A adaptively requests a signature for a message M. To response this sign query, Bi creates a normal 
signature by calling PKSl.Sign since it knows the private key. Note that it cannot create a semi-functional 
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signature since it does not know k'^. Finally, A outputs a forged signature a* = on a mes¬ 

sage M* from A. To verify the forged signature, first chooses a random exponent t €Z,p and computes 
verification components by implicitly setting si = di, S 2 = d 2 

Via =g\ Vi.2 = ^^1,3 = {g^^y{Ai)y% yi,4 = 

V 2 A = {u^’h)\ V 2,2 = V 23 = {{u^y^’h^y\A 2 y% 

V2,4 = {{u-y^*h-yy¥y-y-‘^{A2)~y''‘^\ 

Next, it verifies fhat • 0^=1 ^(^^ 2 *,-, 1^2,()~^ = . If fhis equation holds, then it outputs 0. 

Otherwise, it outputs 1. 

To finish this proof, we show that the distribution of the simulation is correct. We first show that the 
distribution using D,Tq = (A^A®) = is the same as Gq. The public key is correctly distributed 

since the random blinding values jg^ywAv are used. The signatures is correctly distributed since it uses the 
signing algorithm. The verification components are correctly distributed as 

vi,3 = = myA^y^ 

yi4 = = {g-yyryd'h+a<h)Y^ = {g-yy]yy-y^^{A^y-y^‘^y 

^2,3 = = {{ayy^^hyyyA^y^ 

^2,4 = {{u-y^*h-yyr^y^ = {{u-y^*h-yyk-yv^+‘^^'^Y^ 

= {{u-y^*h-yy¥y-y^^{Al)-y''^\ 

We next show that the distribution of the simulation using D,Ti = (AjjA^) = is the same 

as Gi. We only consider the distribution of the verification components since T is only used in the ver¬ 
ification components. The difference between Tq = (A^A^) and Ti = (AJjA^) is that Ti = (AjjA^) addi¬ 
tionally has {P^,Py. Thus yi, 3 ,yi, 4 ,V 2 , 3 ,V 2 q that have T = (Ai,A 2 ) in the simulation additionally have 
[Pyy'’ ,{Py~y''^ yPyy'’ ,{Py~y''^ respectively, if we implicitly set Sc = Jvd^, Zc = d^/d^, then the ver¬ 
ification components for the forged signature are semi-functional since <^ 3,^4 are randomly chosen. This 
completes our proof. □ 


Lemma 3.5. If the LW2 assumption holds, then no polynomial-time adversary can distinguish between Gi 
and G 2 with non-negligible advantage. That is, for any adversary A there exists a PPT algorithm B 2 such 
that \Adv^*-' -Adv^y =Adv'iy^{X). 

Proof Suppose there exists an adversary A that distinguishes between Gi./t-i and Gi^k with non-negligible 
advantage. A simulator B 2 that solves the LW2 assumption using A is given: a challenge tuple D = 
{{p,G,G,GT,e),k,kykykykyP\PyP^yP'’‘) and T where T = Tq = or T = Then B 2 

that interacts with A is described as follows: B 2 first selects random exponents Vi, V 2 , V 3 , y^ ^ > A, B, a, y„, y/,, 
yw,yv € Zp and sets g = kyu = = {k^fkyfw = = P,u = = {PfPfv = It 

implicitly sets = (V 1 V 3 — V 2 )b — ViTt-y {a+yP ,^2 = — v^bG 71,^2 =b,r = a-hyT and publishes a public 
key PK as 


g,u,h, wi = {{Py^y^-^^k-^^^{p)kyyyfw2 = yPp^^pyfw^ = {Py^w, 

g, p\pyr" = {P\Pyy^y, u,pfpyu-^ = 

h, p\pyh-^ = {{PY^iPy'''^^y^P''yy~y vyyyv^^, ki = e{if,PY. 
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Additionally, it sets f = k,f = kfov the semi-functional signature and verification. A adaptively requests a 
signature for a message M. If this is a j-th signature query, then B 2 handles this query as follows: 

• Case 7 < ^ : It creates a semi-functional signature by calling PKSl.SignSF since it knows the tuple 
('yviV3-v2 y-v3 fQj. semi-functional signature. 

• Case j = k \ It selects random exponents r',c[,c '2 G and creates a signature by implicitly setting 
r=-c + r', c\ = c{AM+ B)/y„ + c\, C 2 =c/yw + C 2 as 

{yuM+yn ) ( J) (''3 - V 2 ) {AM+B) ^ (-Vi n+y^) (AM+B) ^ 

wy,! 1^2,2 = W2,3 = Twf, 1^2,4 = {ky'^w‘^'^. 

• Case 7 > k : It creates a normal signature by calling PKSl.Sign since it knows a of the private key. 
Note that x,y are not required. 

Finally, A outputs a forged signature o* = ,... , 1 ^ 2 * 4 ) on a message M*. To verify the forged signature, 

B 2 first chooses random exponents t',S\,S 2 G Zp and computes semi-functional verification components by 
implicitly setting t = bx + t', Sc = —a^x, Zc =AM* +B as 

= , Fi,2 = 

3 = Fi,4 = 

F 2.1 = 

V 2.2 = 

F 2 3 = +yhA2 yM* j:iy2tyviS2 0^a^xy (AM*+B) ^ 

F2 4 = ( +^)yr-(yuM* +yh)(J^t’xy (y^M* +yh)y-i(J^‘^^y (AAt* +By yay (y^M*yy^)t' yM* %yyAy^-Ttsi _ 

Next, it verifies that H/Li e(Wy,Vij) ■ nf=i e(Wy,V 2 jy^ = e{IA,kf^y^ ■ e{k‘‘,1“)^*' ■ If this equation holds, 
then it outputs 0. Otherwise, it outputs 1. 

To finish the proof, we should show that the distribution of the simulation is correct. We first show 
that the distribution of the simulation using D,Tq = k^^ is the same as Gi^-i. The public key is correctly 
distributed since the random blinding values yuAhAwAv are used. The k-th signature is correctly distributed 
as 

j =gO.(y{aA+yu)Mj^aB+yhyc+r'iyyAAlV?,~V 2 )b-ViTZ+(a+yA)Y(AM+B)ly„+c\ 

= g^ (JAY(yuM+yh ) (j^ (vi V3 -V2) (AM+B) ^ (-vi n+y.,)(AM+B) y\ ^ 

ITl 2 = W 2 = ()ty»'(“''3t>+7r)y(AM+B)/)’w-l-c', _ yY^AAM+B) ycy(AM+B)^<j ^ 

Wi,3 = wj’ = 

ITl 4 = ^ 

The semi-functional verification components are correctly distributed as 

F2 ,i = {u^*hy = (^(«A+r„)M‘pS+yA)to+f' ^ YabxyMABYbxy.MAyHYM^Yy 

V 22 = -*2 
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V2 3 = = (^(«^+3'»)''2M*^(aB+3),.)V2^te+('|--V3y2^-a^^(AM*+e) 

_ ^ j^ahx ^ (AM* +B)V2^ j^bx^ {y^M* +yk) V 2 V2(' -¥ 3^2 ("^ +B) 

V24 = ((u-^f^h-j(v-yYr‘^T'^ 

_ ^^-(aA+y„)(a+yz)M*^-(aB+y/,)(a+yz)'jbx+t'^^-7!:y2^-b(-a^x)(AM*+B) 

_ ^^abxj-(AM* +B)y^- (>>„M* +yk ) j^bx^-(y^M* +yh)yT ^ [k‘^)~ ( U^*h)~^'^*' 


The simulator can create the semi-functional verification components with only fixed Zc = AM* + B since 

A 2 l 

Sc,Sc enable fhe cancellafion of . Even fhough fhe simulafor uses fhe fixed Zc, the disfribufion of Zc 
is correcf since A,B are information fheorefically hidden fo A. We nexf show fhaf fhe disfribufion of fhe 
simulafion using D,Ti = is the same as Gy^;. We only consider the distribution of the ^-th signature 
since T is only used in the k-th signature. The only difference between Tq and Ti is that Ti additionally 
has k^. The signature components Wi jjVTi, 2 ,^ 13 , W 2 , 1 ,^ 2 , 2,^23 that have T in the simulation additionally 
have (jyi'^-v 2 (AM+B)^ (jyi'^(AM+B)^ V 3 -V 2 )^ respectively. If we implicitly 

set Sjc = d,Zk = AM + B, then the distribution of the ^-th signature is the same as Gi jt except that the ^-th 
signature is nominally semi-functional. 

Finally, we show that the adversary cannot distinguish the nominally semi-functional signature from 
the semi-functional signature. The main idea of this is that the adversary cannot request a signature for 
the forgery message M* in the security model. Suppose there exists an unbounded adversary, then the 
adversary can gather Zk = AM + B from the k-th signature and Zc = AM* -|- B from the forged signature. It 
is easy to show that Zk and Zc look random to the unbounded adversary since /(M) = AM + B is a pair-wise 
independent function and A,B are information theoretically hidden to the adversary. This completes our 
proof. □ 

Lemma 3.6. If the DBDH assumption holds, then no polynomial-time adversary can distinguish between 
G 2 and G 3 with non-negligible advantage. That is, for any adversary A, there exists a PPT algorithm 
such that |Arfv^^ — Arfv^^l =Arfv™^^(A). 

Proof Suppose there exists an adversary A that distinguish G 2 from G 3 with non-negligible advantage. A 
simulator that solves the DBDH assumption using A is given: a challenge tuple D = {{p,G,G,Gt 
k,lA,k^,1+ ,k,'i<f ,kf ,1+) and T where T = Tq = e{k,kY^‘^ or T = Ti = e{k,kY. Then H 3 that interacts with 
A is described as follows: 03 first chooses random exponents Vi, V 3 , ^ 1 ,^ 2 , ^3 S and sets n = ^2 + V3^3- 
It selects random exponents yg,x,y,yw,yv G Zp and sets g = k^+u = gf ,h = g^,w\ = F"’'^',W 2 = F"'‘^,W 3 = 
= ky«,g = P+u = g^,h = gy,v = P*. It implicitly sets V 2 = a,T = + Vi ^2 +a^ 2 ,a = ab and 

publishes a public key PK as 

g,u,h, Wl,W2,W3,W, g,g^',g''^ = {Py+g^'" 

uA^fu^^ = {g^Yfu-^ = {g-pY 
v,PYv-^,kl = e{kYPyl 

A. A. 

Additionally, it sets f = k,f = k for the semi-functional signature and semi-functional verification. A 
adaptively requests a signature for a message M. To respond to this query, B3 selects random exponents 


— ic-ygi.++v\^i) (j+Yy^^, 
= {g-YyYh-^ = {g-YY 
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r,ci,C 2 ,Sk,z'i^ G Zp and creates a semi-functional signature by implicitly setting Zk = bjg/sk + z'k as 
lVi,i = 

1^1 2 = Wi,3 = w^‘ (A:*)>’*F*4, 4 = w"', 

M/ 2,1 W 22 =w‘'^k-^^'\ W2,3=wl^k-^^, W2,4=W^\ 

The simulator can only create a semi-functional signature since Sk,Zk enables the cancellation of k‘‘^. Finally, 
A outputs a forged signature a* = ... , 1 ^ 2 * 4 ) on a message M*. To verify the forged signature, B 3 

first chooses random exponents s\,S 2 ,s'^,z!c G Zp and computes semi-functional verification components by 
implicitly setting t = c, Sc = —acyg + s[, Zc = —acyg{xM* +y)/sc + ^c/^c as 

1 = {ky^^ 2 = {ky^^^v^\ Fi,3 = Vi ,4 = ^ 

V2J = t/ 2,2 = ^2,3 = 

^2 4 = y')-ys(^^*+y)(^i+y’i‘f'2){)-^^2y<f'34_ 


Next, it verifies fhaf O/Li V'l,) • IT^^i ^(W^ 2 *o^ 2 ,i) ^ If this equafion holds, fhen if oufpufs 0. 

Ofherwise, if oufpufs 1. 

To finish fhe proof, we firsf show fhaf fhe disfribufion of fhe simulafion using D,T = e{k,kY^^ is fhe 
same as G 2 . The public key is correcfly disfribufed since fhe random blinding values yg,yw,yv are used. The 
semi-funclional signafure is correcfly disfribufed as 

ITn = g«( (/V,V3-V2).« ^ ky^^^’iu^hYw^^ (^V,V3-«y*(%A.+4) 

= {u^hYwl^ 


The semi-funcfional verificafion componenfs are correcfly disfribufed as 

Fi3 = =v''3"‘K, 

Vi4 = {y^y= (k^t'g('l'i+vii|)2+ai|>3)^c^-?rii^-(|'3(-ac)-j-|-i^) _ ^^c^->>j((|)i+Vi(|)2)--;rgi^-(|)3i^^ 

^2 3 = hy {yy^ _^V3S2j^zy 

F 24 = = (k^%('^l+''l‘te+“‘?’3)A^*+>’))c(p-^y2('^-<l'3^-ac>-j(xM*+3))+z^ 

= (k^’ ) “t's +>") ( '^1 + ''1 ‘te) v~ ^-*2 ^- 03 Zc ^ 

a^ = e{g,gr = e{k:ky>^^ = {Tyl. 

We nexf show fhaf fhe disfribufion of fhe simulafion using D^Ti = e{k,kY is almost the same as G 3 . It is 
obvious that the signature verification for the forged signature always fails if Ti = e{k,kY i^ used except 
with 1/p probability since r/ is a random value in Zp. This completes our proof. □ 

3.3.2 Analysis of PKS2 

Theorem 3.7. The above PKS2 scheme is existentially unforgeable under a chosen message attack if the 
LWl, LW2, DBDH assumptions hold. That is, for any PPT adversary A, there exist PPT algorithms 
Bi,B 2 ,B 3 such that Adv^y^ {X) < {X) + qAdv™^ {X) -|-Arfvg®^^(A) where q is the maximum num¬ 

ber of signature queries of A. 
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Proof. Before proving the security, we first define two additional algorithms for semi-functional types. For 
the semi-functionality, we set / = g^'ff = where yy is a random exponent in Zp. 

PKS2.SignSF. The semi-functional signing algorithm first creates a normal signature using the private key. 
Let {W( j,... , 1 ^ 2 ^) normal signature of a message M with random exponents r,ci,C 2 € Zp. It 

selects random exponents Sk,Zk S and outputs a semi-functional signature as 

a = ( ITi j = IT/1 • 1Ti,2 = WI 2 ITi,3 = < 3 , 

^ 2,1 = lT{i • 1T2,2 = wy-ff ^2,3 = IT2'.3 ) • 

PKS2.VerifySF. The semi-functional verification algorithm first creates normal verification components 
using the public key. Let (T/j,... 3 ) be the normal verification components with a random ex¬ 

ponent t G Zp. It chooses random exponents Sc,Zc € and computes semi-functional verification 
components as 


Ti.i = T' 1 , Ti,2 = T 1/2 Ti,3 = T/.3 • 

T 2,1 = V2,2 = T2,3 = ^ 2/3 • 

Next, it verifies that flLi Ti,,) • IlLi j T 2 ,() ^ =QI. If this equation holds, then it outputs 

1. Otherwise, it outputs 0. 

If the semi-functional verification algorithm is used to verify a semi-functional signature, then an additional 
random element jeft jji jeft p^rt of the above verification equation. If Zk = Zc, then 

the semi-functional verification algorithm succeeds. In this case, we say that the signature is nominally 
semi-functional. 

The security proof uses a sequence of games Go,Gi,G 2 , and G 3 . The definition of these games is the 
same as that of Theorem [33] From the following three lemmas, we prove that it is hard for A to distinguish 
G,_i from G, under the given assumptions. Therefore, we have that 

Adv^^^(A) = Adv^o +1 (Adv^- - Adv5) - Adv^^ < £ |Adv^* - Adv^ | 

(=1 i=l 

= Adv™'' (A) + £ 

k=i 


This completes our proof. □ 

Lemma 3.8. If the LWl assumption holds, then no polynomial-time adversary can distinguish between Go 
and G\ with non-negligible advantage. That is, for any adversary A there exists a PPT algorithm B\ such 
that -Adv^ I = ^(A). 


Proof. Suppose there exists an adversary A that distinguishes between Go and Gi with non-negligible 
advantage. A simulator B\ that solves the LW1 assumption using A is given: a challenge tuple D = 



If^^c+d _ xhen B\ that interacts with A is described as follows: B\ first chooses random exponents (j) 2 ,A,B, a G 
Zp, random values yg,yu,yh^yw G ^p- It computes wi = , W2 = , w = F“' by implicitly 
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setting = b. It implicitly sets Cg = -b/y^ + c^,c„ = -bA/y„ + 4,c/, = -bB/y„ + c'f^,v = a,z = b + a(j )2 
and publishes a public key PK by selecting random values Cg,c^,C/, G hp as 

gw"/ = ky^wf, w"/ = , w"* = {k‘’)-^w<, 

uw/ = w/ = {k‘’)-‘’^^wf, w"“ = 

hw"/ = ky'w"/, w"/ = , w'^’' = wi, W2, w, 

g = t = t'^\P)y^, g-^ = {P\P)y^{t'^^fpky^^^)-\ 

U = U^' = {P^^f{P)y% u-^ = ((P')^(P)^“(P^')^*2(P)r„t-2)-i^ 

h = {P"fP^, P = {P’’"f{ky\ h-^ = {{P'f{P)y>-{P‘’"y^{P)y'^y-\ 

Q. = {e{P\P)-e{P\kfy^ ■e{kpk)y'p"^. 

It implicitly sets g = k^ky^,u = but it cannot create these elements since P^ is 

^ A. 

not given. Additionally, it sets f = k,f = k for the semi-functional signature and verification. A adap¬ 
tively requests a signature for a message M. To response this sign query, Bi first selects random exponents 
r,Cj,C 2 € Zp. It implicitly sets ci = —b{a + {AM + B)r)/y^ + c[,C 2 = —bri/y^^Ac^ and creates a normal 
signature as 

ITl J =kA“+(>’“"+>’*)''(wi)"i, 1 Ti,2 = (1Ti,3)'^^ 1Ti,3 = {P)-A+AM+B)r)y ^ 
W2.l=kyA{wiY\ 1 ^ 2,2 = (^2,3)^, 1^2,3 = {Pyw^^. 

Finally, A outputs a forged signature a* = (ITj*;,... , 1 ^ 2 * 3 ) on a message M* from A. To verify the forged 
signature, Bi first chooses a random exponent t G Zp and computes verification components by implicitly 
setting 1 = c as 

Fi 1 Fi 2 = T{Py^, Fi,3 = {{P'yPy^{Ty{Pyy-\ 

F 2 ,i = (^p^yM*+B(^^cy,M*+y,^ ^ ^j^yM*+B^^acy,M*+yy 

F 2 3 = ((P^^ (P*^ yuM*+yh(j-y {AM* +B) j^ac^ 02(y«M* +») ^ “ 1 ^ 

Next, it verifies fhaf nLi^(^r;)^i,<)' IlLi ^(^ 2 * 0 ^ 2 ,i)~^ = If this equafion holds, fhen if oufpufs 0. 
Ofherwise, if oufpufs 1. 

To finish fhis proof, we show fhaf fhe disfribufion of fhe simulation is correcf. We firsf show fhaf fhe 

A. 12 

disfribufion using D, Tq = k ^ is fhe same as Gq. The public key is correcfly disfribufed as 

gw/ = =F«w^. 

The simulator cannof creafe g, u, h since P^ is nof given in fhe assumption, buf if can creafe gw /, uw/, hw/ 
since Cg,Cu,Ch can be used fo cancel ouf P^. The signafure is correcfly disfribufed as 

J _ yy^+yyay/b^A+yu)MjykB+yhyyyy„YKo.+(AM+B)r)ly„+c'^ 

= J^ygrt+{yuM+yh)r^A ^ 

W 2 J =g''(w^‘)"" = {P^+yp''{pyp-'”'iy'*+^'^ = kyA{wy^'K 
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It can create a normal signature since ci,C 2 enable the cancellation of , but it cannot create a semi¬ 
functional signature since k‘^ is not given. The verification components are correctly distributed as 


Ti 1 =g‘ = Via = (i''y = = Toi^T^, 

i/j 3 = (g-j = ^ 

1 / 2,1 = {U^^hy = k‘’'^+yhy = (^j^bVyM*+B^j^cy,M*+y,^ 

1/2,2 = ((«'")“*/!'')' = = (^To)^M*+B(^i^acy,M*+yy 

1/23 = hr'^y = (^(^y(.(^^/l+)’a)(^+ai|> 2 )M*^(fe 2 B+rA)( 6 +a(fc)^c^-l 

_ yk^^‘^ ( k^‘^y'‘^* (To) +-®) +»))-! 


We next show that the distribution of the simulation using D,Ti = is the same as Gi- We only 

consider the distribution of the verification components since T is only used in the verification components. 
The difference between Tq and T\ is that Ti additionally has Thus Ti, 2 ,Ti, 3 ,V 2 , 2 ,i^ 2,3 that have T in 
the simulation additionally have +b) respectively. If we implicitly set Sc = 

d,Zc = AM* -\-B, then the verification components of the forged signature are semi-functional since A and B 
are information-theoretically hidden to the adversary. This completes our proof. □ 


Lemma 3.9. If the LW2 assumption holds, then no polynomial-time adversary can distinguish between Gi 
and G 2 with non-negligible advantage. That is, for any adversary A, there exists a PPT algorithm B 2 such 
that lArfv^*'*-' -Adv^-y =Adv^^{?i). 

Proof Suppose there exists an adversary A that distinguishes between Gi,yt_i and Gi,,t with non-negligible 
advantage. A simulator B 2 that solves the LW2 assumption using A is given: a challenge tuple D = 
{{p,G,G,GT,e),k,kfkykykft\Pyt^yk‘^'’‘) and T where T = Tq = k^^ ov T = Ti = k‘’^+y Then B 2 
that interacts with A is described as follows: B 2 first selects random exponents v,yT,A,B, oc,yu,yh,yw £ 

It computes wi = = {{kf’)^^lAk^'^Y'^,W 2 = = {k!’y'“,w = k^'^ by implicitly setting 

(a -hyr), ^2 = b- It implicitly sets T = a + y^ and publishes a public key PK by selecting random values 


gwf = k‘‘wy,wfy^, uwy = {eyk^^wyyyyf hwf = {kyk^’'w\\wy wi,w2 
g = kfgyg-^ = {t\kyy-y, a = {iefp\uyu-^ = {{P'f{Py‘‘+^y^P'‘yy-\ 
h = {PfPyP,h-^ = {{p^f{Py>-+^y4y'-yy-\ q = e{p,P)^. 


W, 


A. A. 

Additionally, it sets f = k,f = k for the semi-functional signature and verification. A adaptively requests a 
signature for a message M. If this is a y-th signature query, then B 2 handles this query as follows: 

• Case 7 < k : It creates a semi-functional signature by calling PKS2.SignSF since it knows the tuple 
(/'")/)!) for the semi-functional signature. 

• Case j = k : It selects random exponents r',Cj,C 2 G Zp and creates a signature by implicitly setting 
r=-c + r', Cl = c{AM + B)/y^„ + cy C 2 =c/yw + c '2 as 

Wl ,3 = W 2 ,l = g’'{T)-^{ky*wf, W 2,2 = Tw‘y, W2,3 = 
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• Case 7 > ^ : It creates a normal signature by calling PKS2.Sign since it knows the private key. 

Finally, A outputs a forged signature a* = ... , 1 ^ 2 * 3 ) on a message M*. To verify the forged signa¬ 

ture, B 2 first chooses a random exponent t' G Zp and computes semi-functional verification components by 
implicitly setting t = bx + t', Sc = —a^x, Zc = AM* -|- B as 

= Fi,2 = Vi,3 = 

1 / 2,1 = V2,2 = 

V2 3 = ^]^bx'j-{yuM*+yh) (^px-^-{y„M’'+yh)yt ^ 

Next, it verifies fhaf hLi ^(^ 1 * 0 ^ 1 .!)' OLi ^(^ 2 * 0 '^2,0 ^ . If fhis equafion holds, 

fhen if oufpufs 0. Ofherwise, if oufpufs 1. 

To finish fhe proof, we should show fhaf fhe disfribufion of fhe simulation is correcf. We firsl show 
fhaf fhe disfribufion of fhe simulation using D,To = is fhe same as Gi.yt_i. The public key is correcfly 
disfribufed since fhe random blinding values yu,yh,yw are used. The k-fh signafure is correcfly disfribufed as 

j = = g^{y‘^Myu)Mi^aB+yuYC+r' ^l^y„(-vb+a+y^)y{AM+B)/y^+c\ 

11 / 1.2 =W 2 ‘ = {ky«bY(AM+B)ly„+c\ ^ (J) ^ 

ITl 3 = w"'* = {ky«yAM+B)/y„+c'^ ^ YyAM+B)^c>^ ^ 


The semi-funclional verificalion componenfs are correcfly disfribufed as 

F2 ,i = {U^^hy = (y{‘^Myu)M*YB+yHyx+t' ^ Y‘^bxYM*+BYbxyuM*+y,YM*Y‘', 

^2 2 = {{{A)^* lAy = {jyBMyu)vM*'y,aB+yh)vyx+t'Y‘‘^x{AM*+B) 

— yibx ^ {AM* +SA (ybx'^{y„M*+y,,)v jyyy +^) 

^2 3 = h^'^y = [y-{‘^^+yu){a+yT)M*Yi^^+yh){a+yT)yx+t'Yb{-a^x){AM*+B) 

_ Y^'bx^ +B)y^-{yuM*+yh){^ J^bx ) “ (fuM* -Hr* )r t ^ - T ^ M* ^ - T y' 


The simulator can creafe fhe semi-funclional verificalion componenfs wilh only fixed Zc = AM* -|- B since 

A 2 i. 

Sc,Sc enable fhe cancellation of k“ . Even Ihough if uses fhe fixed Zc, the disfribufion of Zc is correcf since 
A,B are informalion Iheorelically hidden lo A. We nexl show fhaf fhe disfribufion of fhe simulalion using 
D,Ti= is fhe same as G 17 . We only consider fhe disfribufion of fhe k-lh signafure since T is only used 
in fhe k-lh signafure. The only difference belween Tq and Ti is fhaf Ti addilionally has k^. The signafure 
componenfs W'i,i,VTi. 2 , VV 2 ,i,W 2.2 thal have T in fhe simulation additionally have (j^'^{am+b)^ 

{k‘^y^,k‘^ respectively. If we implicilly sel Sk = d,Zk = AM + B, fhen fhe disfribufion of fhe k-lh signafure 
is fhe same as Gi.^t excepl fhaf fhe k-lh signafure is nominally semi-funclional. 

Finally, we show fhaf A cannol dislinguish fhe nominally semi-funclional signafure from fhe semi- 
funclional signafure. The main idea of fhis is fhaf A cannol requesl a signafure for fhe forgery message M* 
in fhe securily model. Suppose Ihere exisls an unbounded adversary, fhen he can galher Zk = AM + B from 
fhe k-lh signafure and Zc = AM* +B from fhe forged signafure. If is easy to show fhaf Zk,Zc look random lo 
fhe unbounded adversary since f{M) = AM -|- B is a pair-wise independenl funclion and A, B are informalion 
Iheorelically hidden to fhe adversary. This completes our proof. □ 
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Lemma 3.10. If the DBDH assumption holds, then no polynomial-time adversary can distinguish between 
G 2 and G 3 with non-negligible advantage. That is, for any adversary A, there exists a PPT algorithm 
such that —Adv^\ =Arfv™^^(A). 

Proof Suppose there exists an adversary A that distinguish G 2 from G 3 with non-negligible advantage. A 
simulator that solves the DBDH assumption using A is given: a ehallenge tuple D = {{p,G,G,Gt, e), 
k,k^,lf ,k,lf ^if’,lf) and T where T = Tq = e{k,kY^‘^ or T = Ti = e{k,kY. Then H 3 that interaets with 
A is deseribed as follows: Bj, first ehooses random exponents (j)i,(j) 2 ,yg,x,y € Zp and a random element 
w € G. It eomputes g = k^^^u = g^A = g^,g = = g^,h = g^,w\ = w‘^‘,W 2 = w*^. It implieitly sets 

V = a,^ = (j)i +a025 oc = ab and publishes a publie key PK by seleeting random values Cg,Cu,Ch € Zp as 

gw^^W 2 ^w^«, uwY,w‘f ,w‘'“, hwYjWY,w‘^'', Wl,W 2 ,W, 

1,1'' = u,u^ = = (r^r, 

h,p = = {g-y, o.=e{kfkyi 

A. A. 

Additionally, it sets f = k,f = k for the semi-funetional signature and semi-funetional verifieation. A 
adaptively requests a signature for a message M. To respond to this query, B^ seleets random exponents 
r,ci,C 2 ,Sk,Yj^ G Zp and ereates a semi-funetional signature by implieitly setting Zk = byg/sk-\-z'k as 

ITi 1 = {u^hYwlfk^y^^^, Wi,2=wlfky>^k^^^f Wi,3 =w"', 

= g''wf W2,2 = wlVY ^2,3 = 

It ean only ereate a semi-funetional signature sinee Sk,Zk enables the eaneellation of k^^. Finally, A outputs 
a forged signature o* = (lT[*j,... , 1 ^ 2 * 3 ) on a message M*. To verify the forged signature, H 3 first ehooses 
random exponents si,S 2 ,sYz!c G Zp and eomputes semi-funetional verifieation eomponents by implieitly 
setting t = c, Sc = —acyg -|- 5 ^, = —acyg{xM* -\-y)/Sc-\- z!c/Sc as 

F] 1 = Fi 2 = y, Vi,3 = , 

V2J = (p)y^(^^*+y\ V2,2 = P'% i^2,3 = (p)-yM^^^+y)k-‘l>2zf 

Next, it verifies that IlLi ‘ OLi If this equation holds, then it outputs 0. 

Otherwise, it outputs 1. 

To finish the proof, we first show that the distribution of the simulation using D,T = e{k,kY^^ is the 
same as G 2 . The publie key is eorreetly distributed sinee the random values yg,x,y,Cg,Cu,Ch are used. The 
semi-funetional signature is eorreetly distributed as 

The simulator ean only ereate a semi-funetional signature sinee Zk = byg/y^k + z'k enables the eaneellation of 
k^^. The semi-funetional verifieation eomponents are eorreetly distributed as 

Fi 1 =g‘ = = {Py>^, Fi 2 = {yyy = {PyA~‘^^y^+^'c = py 

F2,i = {U^'hy = (p'A^^Ay = Y^cyfxM^+y)^ 

V22 = y^^pyy^^ = (^pA’‘M*+y)yk-‘‘cyfxM*+y)+f = py 


22 



= (^k‘^yys*i’i(2(^* +y)}c^‘i’2^y 
Q.‘=eig,gr=e{k;k)yl‘‘>’^ = {To)yl 

We next show that the distribution of the simulation using D,Ti = e{k,kY is almost the same as G 3 . It is 
obvious that the signature verification for the forged signature always fails if Ti = e{k,kY is used except 
with 1/p probability since d is a random value in Zp. This completes our proof. □ 

4 Sequential Aggregate Signature 

In this section, we propose two SAS schemes with short public keys and prove their security based on that 
of our PKS schemes. 

4.1 Definitions 

The concept of SAS was introduced by Lysyanskaya et al. |[29ll . In SAS, all signers first generate public keys 
and private keys, and then publishes their public keys. To generate a sequential aggregate signature, a signer 
may receive an aggregate-so-far from a previous signer, and creates a new aggregate signature by adding his 
signature to the aggregate-so-far in sequential order. After that, the signer may send the aggregate signature 
to a next signer. A verifier can check fhe validify of fhe aggregafe signafure by using fhe pubic keys of all 
signers in fhe aggregafe signafure. An SAS scheme is formally defined as follows: 

Definition 4.1 (Sequential Aggregafe Signafure). A sequential aggregate signature (SAS) scheme consists 
of four PPT algorithms Setup, Key Gen, AggSign, and AggVerify, which are defined as follows: 

Setup{\^). The setup algorithm takes as input a security parameter 1^ and outputs public parameters PP. 

KeyGen(PP). The key generation algorithm takes as input the public parameters PP, and outputs a public 
key PK and a private key SK. 

AggSign (AS', M, PK ,M,SK). The aggregate signing algorithm takes as input an aggregate-so-far AS' on 
messages M = (Mi,. .. ,Mi) under public keys PK = {PKi,... ,PKi), a message M, and a private key 
SK, and outputs a new aggregate signature AS. 

AggVerify (AS, M, PK). The aggregate verification algorithm takes as input an aggregate signature AS 
on messages M = (Mi, ... ,Mi) under public keys PK = (^PKi,... ,PKi), and outputs either 1 or 0 
depending on the validity of the sequential aggregate signature. 

The correctness requirement is that for each PP output by Setup, for all {PK,SK) output by KeyGen, 
any M, we have that AggVerify{AggSign(AS' ,VK!,M,SK),M'\\M,VK!\\PK) = 1 where AS' is a valid 
aggregate-so-far signature on messages M' under public keys PK'. 

A frivial SAS scheme can be consfrucfed from a PKS scheme by concafenafing each signer’s signafure 
in sequential order, buf fhe size of aggregate signafure is proporfional fo fhe size of signers. Therefore, a 
non-frivial SAS scheme should satisfy fhe signafure compacfness properfy fhaf requires fhe size of aggregafe 
signafure fo be independenf of fhe size of signers. 

The securify model of SAS was defined by Lysyanskaya ef al. 1291, buf we follow fhe security model 
of Lu el al. ll27l fhaf requires for an adversary fo regisfer fhe key-pairs of ofher signers excepf fhe largel 
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signer, namely the knowledge of secret key (KOSK) setting or the proof of knowledge (POK) setting. In this 
security model, an adversary first given the public key of a target signer. After that, the adversary adaptively 
requests a certification for a public key by registering the key-pair of other signer, and he adaptively requests 
a sequential aggregate signature by providing a previous aggregate signature to the signing oracle. Finally, 
the adversary outputs a forged sequential aggregate signature on messages under public keys. If the forged 
sequential signature satisfies fhe conditions of fhe securify model, fhen fhe adversary wins fhe security game. 
The securify model of SAS is formally defined as follows: 

Definition 4.2 (Security). The security notion of existential unforgeability under a chosen message attack 
is defined in terms of the following experiment between a challenger C and a PPT adversary A: 

1. Setup: C first initializes a certification list CL as empty. Next, it runs Setup to obtain public parame¬ 
ters PP and KeyGen to obtain a key pair {PK,SK), and gives PK to A 

2. Certification Query: A adaptively requests the certification of a public key by providing a key pair 
{PK,SK). Then C adds the key pair {PK,SK) to CL if the key pair is a valid one. 

3. Signature Query: A adaptively requests a sequential aggregate signature (by providing an aggregate- 
so-far AS' on messages M' under public keys PK^, on a message M to sign under the challenge public 
key PK, and receives a sequential aggregate signature AS. 

4. Output: Finally (after a sequence of the above queries), A outputs a forged sequential aggregate 
signature AS* on messages M* under public keys PK*. C outputs 1 if the forged signature satisfies the 
following three conditions, or outputs 0 otherwise: l)AggVerify{AS*,M.*,PK*) = 1, 2) The challenge 
public key PK must exists in PK* and each public key in PK* except the challenge public key must 
be in CL, and 3) The corresponding message M in M* of the challenge public key PK must not have 
been queried by A to the sequential aggregate signing oracle. 

The advantage of A is defined as Adv^_^^(X) = Pr[C = 1] where the probability is taken over all the ran¬ 
domness of the experiment. An SAS scheme is existentially unforgeable under a chosen message attack if all 
PPT adversaries have at most a negligible advantage in the above experiment. 

4.2 Construction 

To construct an SAS scheme from a PKS scheme, the PKS scheme should support multi-users by sharing 
some elements among all signers and the randomness of signatures should be sequentially aggregated to a 
single value. We can employ the randomness reuse technique of Lu et al. Il27]l to aggregate the randomness 
of signatures. To apply the randomness reuse technique, we should re-randomize the aggregate signature to 
prevent a forgery attack. Thus we build on the PKS schemes of the previous section that support multi-users 
and public re-randomization to construct SAS schemes. 

4.2.1 Our SASl Scheme 

Our first SAS scheme in prime order bilinear groups is described as follows: 

5 A. 

SASl.Setup(ty) : This algorithm first generates the asymmetric bilinear groups G,G of prime order p of 
bit size 0(A). It chooses random elements g,w €G and g,v € G. Next, it chooses random exponents 
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Vi,V2 ,V3,^i,^2,^3 G '^p and sets z = (pi + Vi(p2 + V2^3,7r = (p2 + V3^3. It also sets wi = h''^',W2 = 
, >1^3 = w‘^. It publishes public parameters as 


PP= ( (p,G,G,Gr,e), g, wi,W2,W3,w, 


A. A.V-5 A.-TT 

v,v %v 


SASl-KeyGenCPP): This algorithm takes as input the public parameters PP. It selects random exponents 

a,x,y € Zp and computes u = ,h = ,u = ,u''^ = {g'''Y,u''^ = {g^Y^,{r'^ = {g^'^Y,h = g^,h''^ = 

(g''’ Y^h''^ = — {g~'^y ■ It outputs a private key SK = (a,x,y) and a public key as 

PK= (^u,h, u,u^\u^Yu^\ h,P'',h^Yh^\ ^^ = e(g,g)“ ). 

SASl.AggSignCAS'', M',PK',M, SK): This algorithm takes as input an aggregate-so-far AS' = (5^ j,..., ^2 4 ) 
on messages M' = (Mi,... ,M/_i) under public keys PK' = (P^i,... ,PKi^i) where = {ui,hi,... ,0./), 
a message M G {0,1}^ where k < A, a private key SK = (a,x,y) with PK = {u,h,... ,Q.) and PP. It 
first checks the validity of AS'' by calling Agg Verify (AS', M',PK'). If AS' is not valid, then it halts. If 
the public key PK of SK does already exist in PK', then it halts. Next, it creates temporal aggregate 
components by using the randomness of the previous aggregate-so-far as 

ri,i = S'i 4 •g«(S^,i)""+^ Tia = s'i ,2 • ( 5 ^, 2 )""+", Ti,3 = S' 1.3 • (S^, 3 r'^+^ 

'T' \xMY-y 'T T' T' T' 

^ 1,4 — ^14 * 1 ^ 2,4 J 5 ^ 2,1 — ^ 2 , 1 ? ^ 2,2 — ^ 2 , 2 ? ^ 2,3 — ^ 2 , 3 ’ ^ 2,4 — ^ 2 , 4 * 

Finally, it selects random exponents r,ci,C 2 G Zp for re-randomization and outputs an aggregate sig¬ 
nature as 


AS= ( Sli = Ti,i-Y[{uf'hiY{u^h)'-wl\Sia = Ti,2-wy,Si,3 = ^ 1,3 • ,Si,4 = ri,4 • , 

^ (=1 

52.1 = 72,1 • s''wf, S 2,2 = T2a ■ wY, S2,3 = 72,3 ' , S2,4 = 72,4 ' ) . 


SASl.AggVerify(AS, M, PK): This algorithm takes as input a sequential aggregate signature AS on mes¬ 
sages M = (Ml,... ,M/) under public keys PK = {PKi,... ,PKi) where PKi = (m,,/i,, ... It first 
checks that any public key does not appear twice in PK and that any public key in PK has been cer¬ 
tified. If fhese checks fail, fhen if oufpufs 0. If / = 0, fhen if oufpufs 1 if Si = S 2 = 1, 0 ofherwise. If 
chooses random exponenfs t,si,S 2 G Zp and computes verificafion componenfs as 


Ci,i 

C2,l 


C2,4 


g‘, Cl ,2 = (l''■yv'^ ci,3 = (i''^)'(f''^)^‘, ci,4 = 

I I I 

rMi i. 


i=l 


i=l 


Ui^rhiY, C 2,2 = C2,3 = 

i=l 


v''^Y\ 


i=l 


Nexf, if verifies fhaf IlLi ^(5i,oCi,,) • H^^i e(S2,j,C2,,) ^ = nLi^i- H equation holds, fhen if 
oufpufs 1. Ofherwise, if oufpufs 0. 
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The aggregate signature AS is a valid sequential aggregate signature on messages M'||M under publie 
keys PK' I with randomness f = r' + r, ci = c\+c'2{xM+y)+c\, C2 = C2 + C2 where r',Cj,C2 are random 
values in AS’. The sequential aggregate signature has the following form 

*^1-1=’ ‘^1.2= ^2 > *^1,3= ^3, *^1,4= w”’, 
i=l i=l 

S2,l = g'wf, 52,2 = W2^ 52,3 = W3^ 52,4 = 


4.2.2 Our SAS2 Scheme 

Our seeond SAS seheme in prime order bilinear groups is deseribed as follows: 

SAS2.Setup(l^) : This algorithm first generates the asymmetrie bilinear groups G,G of prime order p of 
bit size 0(A). It ehooses random elements g,w £ G and g £ G. Next, it seleets random exponents 
v,(pi,(j)2 and sets z = (pi + V(p2, wi = , W2 = w’^. It publishes publie parameters by seleeting 

a random value Cg £ Zp as 

PP= (^{p,G,G,GT,e), gw'^^W2^w'^^ wi,W2,w, A = e(g,g)^. 


SAS2.KeyGen(P/’): This algorithm takes as input the publie parameters PP. It seleets random exponents 
a,x,y G Zp and sets u = g’’,h = g^. It outputs a private key SK = (a,x,y) and a publie key by seleeting 
random values £ Zp as 


PK = 


UWj“ = (gWi*)^Wi“,W2“ = (W2'')^W2% 

/iwf = (gWi’’yw^",W2'‘ = 

u,u'' = (gy,u-^ = (g-r, = 


w''" = (w''*)-"w2% 
w’”' = 

igy,h-^ = ig-y,^=A 


a 


SAS2.AggSign(A5',M',PK',M,5A'): This algorithm takes as input an aggregate-so-far A5' = (5) j,.. • ,52 3) 

on messages M' = (Mi,..., M/_ 1) under publie keys PK' = {PKiPKi 1) where PKi = (m/Wj"' ,..., O,), 
a message M £'Lp, n private key SK = (a,x,y) with PK = (mvj",..., O) and PP. It first eheeks the 
validity of A5' by ealling SAS.AggVerify(A5',M',PK'). If A5' is not valid, then it halts. If the publie 
key PK of SK does already exist in PK', then it halts. Next, it ereates temporal aggregate eomponents 
by using the randomness of the previous aggregate-so-far as 

Tu =5',,i(gw;*)“(5^,i)^"+^ ri,2 = 5'i,2(w^0“(*5br"^^ ^1,3 =5'i,3(w^0“(*5br^^ 

rjl _ rjl _ Qtf rj-i _ 

22,1—02,1) 22,2 — 02.2) 22,3—02,3- 


Finally it seleets random exponents r,ci,C2 £ Zp for re-randomization and outputs an aggregate sig¬ 
nature as 


A5 = 


(5i.i = Ti,i-iiiiuiw\y^yhiw‘{yyw’i', 

^ i=i 

S1.2 = ti .2 ■ tliiwy'f-iwiyyw’^’, 51,3 = ri ,3 • (w^*.-)), 


1=1 


1=1 


52.1 — T2 ,i • {gw^ywy, 52,2 — ^2,2 • (h' 2 *)'’w 2^, 52,3 — ^2,3 ‘ (w‘'*)''w‘'^ ^ . 
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SAS2. AggVerify(A5, M, PK): This algorithm takes as input a sequential aggregate signature AS on mes¬ 
sages M = (Ml,... ,Mi) under public keys PK = {PKi,... ,PKi) where PKi = ... ,n,). It first 

checks that any public key does not appear twice in PK and that any public key in PK has been 
certified. If these checks fail, then it outputs 0 . If Z = 0 , then it outputs 1 if j = • • • = 82,3 = 1,0 
otherwise. It chooses a random exponent t £Zp and computes verification components as 


Ci.i 

C 2 ,l 


i',ci,2 = (ry, ci,3 = (r7, 

U{uf-ky, C2,2= uaajf'hjy, C 2.3 = uukT-kj. 


i=l 


i=l 


i=l 


Next, it verifies fhat hLi ^(*^1,0^1 ,0 ' OLi ^ If equation holds, fhen it 

outputs 1 . Otherwise, it outputs 0 . 


Let /, c'j, C2 be the randomness of an aggregate-so-far. If we implicitly sets f = r' + r, ci = c\ + CgUt + 
Y!i=i{cu,Mi + Ch,i)r + Cl, C2 = C2 + Cgr + C2, then the aggregate signature is correctly distributed as 

>^ 1.1 =Y\g"'‘Y\{uf'hiyw\\ S\;2 = wy, 51,3 = 

i=i 1=1 

52.1 =g''wf, 52,2 =W2^ 52,3 


4.3 Security Analysis 

Theorem 4 . 3 . The above SASl scheme is existentially unforgeable under a chosen message attack if the 
PKSl scheme is existentially unforgeable under a chosen message attack. That is, for any PPT adversary 
A for the above SASl scheme, there exists a PPT algorithm Bfor the PKSl scheme such thatAdv^^{X) < 
Adv^i^X). 

Proof Our overall proof strategy for this part follows Lu et al. |[ 27 l and adapts it to our setting. The proof 
uses two properties: the fact that the aggregated signature result is independent of the order of aggregation, 
and the fact that the simulator of the SAS system possesses the private keys of all but the target PKS. 

Suppose there exists an adversary A that forges the above SASl scheme with non-negligible advan¬ 
tage e. A simulator B that forges the PKSl scheme is first given: a challenge public key PKpks = 
{{p,G,G,GT,e),g,u,h,w\,w,g,... ,g^'^,u,.. .,u^'^,h,... ,h^'^ ,v,v''^ ,v~^ ,Q.). Then B that interacts with 
A is described as follows: B first constructs PP = {{p,G,G,GT,e),g,wi,.. .,w,g,... ,g^'^,v,v''^,v^^) and 
PK* = {u,h,u,... ,u^'^,h,... ,h^'^,Q. = c(g,g)“) from PKpks- Next, it initializes a certification list CL as 
an empty one and gives PP and PK* to A. A may adaptively requests certification queries or sequen¬ 
tial aggregate signature queries. If A requests the certification of a public key by providing a public key 
PKi = {uiAi,... ,Q.i) and its private key SK = {ai,Xi,yi), then B checks the private key and adds the key 
pair {PKi,SKi) to CL. If Al requests a sequential aggregate signature by providing an aggregate-so-far AS' on 
messages M' = (Mi,... ,M/_i) under public keys PK' = {PKi,... ,PKi^i), and a message M to sign under 
the challenge private key of PK*, then B proceeds the aggregate signature query as follows: 

1 . It first checks that the signature AS' is valid and that each public key in PK' exits in CL. 

2 . It queries its signing oracle that simulates PKSl.Sign on the message M for the challenge public key 
PK* and obtains a signature a. 
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3 . For each 1 < / < Z — 1 , it constructs an aggregate signature on message M,- using SASl.AggSign since 
it knows the private key that corresponds to PKi. The result signature is an aggregate signature for 
messages M'| |M under public keys PK'| since this scheme does not check the order of aggrega¬ 
tion. It gives the result signature AS to A. 

Finally, A outputs a forged aggregate signature AS* = (S'j j,..., 52 4) on messages M* = (Mi ,Mi) under 
public keys PK* = {PKi,... ,PKi) for some 1 . Without loss of generality, we assume that PK\ = PK*. B 
proceeds as follows: 

1 . B first checks the validity of AS* by calling SASl.AggVerify. Additionally, the forged signature 
should not be trivial: the challenge public key PK* must be in PK*, and the message Mi must not be 
queried by A to the signature query oracle. 


2 . For each 2 < Z < Z, it parses PKi = {ui,hi, ■ ■ ■ from PK*, and it retrieves the private key SKi = 
{ai,Xi,yi) of PKi from CL. It then computes 


i=2 

i 


\ w^i,2=5t,2-n((5i2r'"'+"0 \ 

i=2 




i =2 


i=2 


1V2,1 = 5^1, W2,2 = 5|,2, W^2,3 = 5^3, ^ 2,4 = 5|,4. 


3 . It outputs a = (Wi.i,... ,W2.4) as a non-trivial forgery of the PKS scheme since it did not make a 
signing query on Mi. 

To finish the proof, we first show that the distribution of the simulation is correct. It is obvious that 
the public parameters and the public key are correctly distributed. The sequential aggregate signatures is 
correctly distributed since this scheme does not check the order of aggregation. Finally, we can show that 
the result signature a = (Vkyi,... ,W2,4) of the simulator is a valid signature for the PKSl scheme on the 
message Mi under the public key PK* since it satisfies the following equation: 


4 4 

U<Wu,Vu)-lle(W2,i,V2,i)-^ 

i—1 i—l 




i=2 


e{S*2^r,fl{uf%)T'-e{Sl2,tl{af-hir‘v^'^T'^ 


i=2 

I 


i=2 


i=2 


e{Sl4,Y[{ufhi)-^‘r^^-^')-^-e{S*2^i,{u^'hy)-^-eiS*2^2,{ii^'hy'‘v'"y 

i=2 

A)- 1 . ^ - 1 

= e(5t,i,Cu) • e(5t.2,Ci,2) • e(5t,3,Ci,3) • e(5t4,Ci,4) • 


!=2 


i=\ 


I 

r 

i=\ 


I 

Z =1 
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i=\ 

= n^'(5t,,ci,o -11^(51,,C2,,)-' -nar^= 

r—1 r—1 i—2 /—I i—2 

where 5,- = xiMi + yi and S 2 = Y!i= 2 {^i^i~^yi)^^ + ‘^ 2 - This eompletes our proof. □ 

Theorem 4.4, The above SAS2 scheme is existentially unforgeable under a chosen message attack if the 
PKS2 scheme is existentially unforgeable under a chosen message attack. That is, for any PPT adversary 
A for the above SAS2 scheme, there exists a PPT algorithm B for the PKS2 scheme such thatAdv^^{X) < 
Adv^^{X). 

Proof Suppose there exists an adversary A that forges the above SAS2 seheme with non-negligible ad¬ 
vantage e. A simulator B that forges the PKS2 seheme is first given: a ehallenge publie key PKpj^s = 
((p,G,G,G 7 ’,e),gH'j®,W 2 ®,w^s,MWj",... ... ,h^'^,D.). Then B that interaets with 

.4,is deseribed as follows: B first eonstruets PP = {{p,G,G,GT,e),gw‘f ,w‘f ,wi,W 2 ,w,g,g'',g^'^,A) by 
eomputing A = e{gw\\g) ■e(w‘f,g'') • = e{g,g) and PK* = {uw^f,... ,u,... ,hr'^,Q) from 

PKpKs- Next, it initializes a eertiheation list CL as an empty one and gives PP and PK* to A. A may 
adaptively requests eertiheation queries or sequential aggregate signature queries. If A requests the eertifi- 
eation of a publie key by providing a publie key PKi = {uiW^f.. ,Q.i) and its private key SKi = 
then B eheeks the private key and adds the key pair {PKi,SKi) to CL. If A requests a sequential aggre¬ 
gate signature by providing an aggregate-so-far AS' on messages M' = (Mi,... ,M;_i) under publie keys 
PK' = {PK\,... ,PKi^i), and a message M to sign under the ehallenge private key of PK*, then B proeeeds 
the aggregate signature query as follows: 

1. It first eheeks that the signature AS' is valid and that eaeh publie key in PK' exits in CL. 

2. It queries its signing oraele that simulates PKS2,Sign on the message M for the ehallenge publie key 
PK* and obtains a signature a. 


3. For eaeh 1 < / < Z — 1, it eonstruets an aggregate signature on message M,- using SAS2.AggSign sinee 
it knows the private key that eorresponds to PK^. The result signature is an aggregate signature for 
messages M'| |M under publie keys PK'| \PK* sinee this seheme does not eheek the order of aggrega¬ 
tion. It gives the result signature AS to A. 

Finally, A outputs a forged aggregate signature AS* = (S'j j,... ,52 3 ) on messages M* = (Mi, ... ,Mi) under 
publie keys PK* = {PKi,... ,PKi) for some 1. Without loss of generality, we assume that PKi = PK*. B 
proeeeds as follows: 

1. B first eheeks the validity of AS* by using SAS2.AggVerify. Additionally, the forged signature should 
not be trivial: the ehallenge publie key PK* must be in PK*, and the message Mi must not be queried 
by A to the signature query oraele. 

2. For eaeh 2 < i < I, it parses PKi = {uiw'f’',... ,Q.i) from PK*, and it retrieves the private key SKi = 
{ai,Xi,yi) of PKi from CL. It then eomputes 




ay/o* yM+yA-^ 


) \ Wi,2=5t2n((‘^l2r''''+"‘) \ W^l,3=5t3n((‘^l 


* \x,M,+yA-l 


W2.1=S*2j,W2,2 = S*2a,W2,3=S*2,2 
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3 . It outputs a = (VKi i,11^2.3) as a non-trivial forgery of the PKS scheme since it did not make a 
signing query on M\. 

The public parameters and the public key are correctly distributed, and the sequential aggregate signa¬ 
tures are also correctly distributed since this scheme does not check the order of aggregation. The result 
signature a = (VTij,... ,1^2,3) of the simulator is a valid PKS signature on the message M\ under the public 
key PK* since it satisfies the following equation: 

3 3 

Y[e{Wij,Vu)-lle{W2,i,V2j)-^ 

(=1 i=l 

= e{Sl,j‘)-e{Sl2,r)-e{SU,g-^^)-e([\g<^-,gT'- 

i=2 

lHuf-hiYT' -eiSl,, ' 

i=2 

= e(St.i,Cu) -^^^,2,^,2) •^’(St. 3 ,Ci, 3 ) 

i=2 

{{{afkirr' -eish, ‘ 

i=i (=1 (=1 

= f\e{Sl,Cu)-f\e{SY,C2Y-' -eiflg^'^gT' ={\Q!rU^^^ 

i=\ !=1 i=2 i=l i=2 

where 5 ,- = XiMj + yi and S2 = T!i=2i^i^i + ^2- This completes our proof. □ 

4.4 Discussions 

Multiple Messages. The SAS schemes of this paper only allow a signer to sign once in the aggregate 
algorithm. To support multiple signing per one signer, we can use the method of Lu et al. |[ 27 l . The basic 
idea of Lu et al. is to apply a collision resistant hash function H to a. message M before performing the 
signing algorithm. If a signer wants to add a signature on a message M2 into the aggregate signature, he first 
removes his previous signature on H{Mi) from the aggregate signature using his private key, and then he 
adds the new signature on the H{Mi \ IM2) to the aggregate signature. 

5 Multi-Signature 

In this section, we propose an efficient multi-signature (MS) scheme with short public parameters and prove 
its security without random oracles. 

5.1 Definitions 

Multi-Signature (MS) can be regarded as a special kind of PKAS in which different signatures generated 
by different signers on the same message are combined as a short multi-signature. Thus MS consists of 
four algorithms of PKS and additional two algorithms Combine and MultiVerify for combining a multi¬ 
signature and verifying a multi-signature. In MS, each signer generates a public key and a private key, and 


n 


u- hi) 


e{SY,Ui^f-hi)T'-e{Sl2, 


Y{{ufhi)-^r'- 


e{SY,Y\{iY^%y) 

i=2 


t\-t 


e{Sl 
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he can generate an individual signature on a message by using his private key. To generate a multi-signature, 
anyone can combine individual signatures of different signers on the same message. A verifier can check 
the validity of the multi-signature by using the public keys of signers. An MS scheme is formally defined as 
follows: 

Definition 5.1 (Mulfi-Signafure). A multi-signature (MS) scheme consists of six PPT algorithms Setup, 
KeyGen, Sign, Verify, Combine, and MultVerify, which are defined as follows: 

Setup(\^): The setup algorithm takes as input a security parameter X, and outputs public parameters PP. 

KeyGen(PP): The key generation algorithm takes as input the public parameters PP, and outputs a public 
key PK and a private key SK. 

Sign(M,SK): The signing algorithm takes as input a message M, and a private key SK. It outputs a 
signature O. 

Verify((7,M,PK): The verification algorithm takes as input a signature o on a message M under a public 
key PK, and outputs either 1 or 0 depending on the validity of the signature. 

Combine((7 ,M ,PK): The combining algorithm takes as input signatures o on a message M under public 
keys PK = {PK \,... ,PKi), and outputs a multi-signature MS. 

MultVerify (MS, M,PK) : The multi-verification algorithm takes as input a multi-signature MS on a mes¬ 
sage M under public keys PK = (PKi,... ,PKi), and outputs either 1 or 0 depending on the validity 
of the multi-signature. 

The correctness requirement is that for each PP output by Setup (l^), for all (PK,SK) output by KeyGen (PP), 
and any M, we have that Verify (Sign(M,SK),M,PK) = 1 and for each a on message M under public keys 

PK MultVerify (Combine (a, M,PK),M,PK) = 1. 

The securify model of MS was defined by Micali ef al. OOll . buf we follow fhe securify model of 
Boldyreva ||6l fhaf requires for an adversary fo regisfer fhe key-pairs of ofher signers excepf fhe largel signer, 
namely fhe knowledge of secref key (KOSK) setting or fhe proof of knowledge (POK) setting. In fhis secu- 
rify model, an adversary is firsl given fhe public key of a largel signer. After lhal, fhe adversary adaptively 
requesls fhe cerlificalion of a public key by regislering fhe key-pair of ofher signer, and he adaptively re- 
quesls a signalure for fhe largel signer on a message. Finally, fhe adversary oulpuls a forged mulli-signalure 
on a message M* under public keys. If fhe forged mulli-signalure salisfies fhe conditions of fhe securify 
model, fhen fhe adversary wins fhe securify game. The securify model of MS is formally defined as follows: 

Definition 5.2 (Security). The security notion of existential unforgeability under a chosen message attack 
is defined in terms of the following experiment between a challenger C and a PPT adversary A: 

1. Setup: C first initialize the certification list CL as empty. Next, it runs Setup to obtain public parame¬ 
ters PP and KeyGen to obtain a key pair (PK,SK), and gives PP,PK to A 

2. Certification Query: A adaptively requests the certification of a public key by providing a key pair 
(PK,SK). C adds the key pair (PK,SK) to CL if the private key is a valid one. 

3. Signature Query: A adaptively requests a signature by providing a message M to sign under the 
challenge public key PK, and receives a signature (7. 
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4. Output: Finally, A outputs a forged multi-signature MS* on a message M* under public keys PK*. 
C outputs 1 if the forged signature satisfies the following three conditions, or outputs 0 otherwise: 1) 
MultVerify{MS* ,M* = \, 2) The challenge public key PK must exists in PK* and each public 

key in PK* except the challenge public key must be in CL, and 3) The message M* must not have been 
queried by A to the signing oracle. 

The advantage of A is defined as Adv^ = Pr[C = 1] where the probability is taken over all the randomness 
of the experiment. An MS scheme is existentially unforgeable under a chosen message attack if all PPT 
adversaries have at most a negligible advantage in the above experiment. 

5.2 Construction 

To construct an MS scheme with short public parameters, we may use our PKS schemes that support multi¬ 
users and public re-randomization. To aggregate the randomness of signatures, we cannot use the technique 
of Lu et al. 1271 since the randomness should be freely aggregated in MS. Instead we aggregate the ran¬ 
domness of signatures by using the fact that each signer generates a signature on the same message in MS. 
That is, if group elements u,h that are related to message hashing are shared among all signers, then the 
randomness of each signer can be easily aggregated since the random exponent in a public key and the ran¬ 
domness of a signature are placed in different positions. Thus our two PKS schemes can be used to build 
MS schemes since g,u,h in PKSl or gwf,uwl“,hw‘l'' in PKS2 are published in a public key. Note that it is 
not required for a signer to publicly re-randomize a multi-signature since each signer selects an independent 
random value. 

To reduce the size of multi-signatures, we use our PKS2 scheme for this MS scheme. Our MS scheme 
based on the PKS2 scheme is described as follows: 

MS.Setup(l^) : This algorithm first generates the asymmetric bilinear groups G,G of prime order p of 
bit size 0(A). It chooses random elements g,rv E G and g E G. Next, it selects random exponents 
V, (pi, < 1)2 E Zp and sets z = (pi V(p2, wi = w*^', W2 = w'^. It selects random exponents x,y E and 
computes u = g^,h = g^,u = g^,h = g^. It publishes public parameters by selecting random values 
^^ Z^ as 


pp=i^ (p,G,G,Gr,c), gw{,wf,w‘=c uw\%w‘f ,w‘=‘‘, hw\\w‘'f,w‘=\ 
wi,W2,w, g,t,r\ u,{F,u^\ h,h^,hr\ A = e{g,g) ). 


MS.KeyGen(PP): This algorithm takes as input the public parameters PP. It selects a random exponent 
a E Zp and computes Q. = A“. Then it outputs a private key SK = a and a public key as PK = Q.. 

MS.SignCMj^K): This algorithm takes as input a message M E Zp and a private key SK = a. It selects 
random exponents r,ci,C2 E Zp and outputs a signature as 


a = ( Wu = (gWiO“((«>v)")"(/nvf))X‘, 

1Ti 2 = {w‘f)^{{w^ffw2')Vf, ITi, 3 = (rv"0“((>v"“)“>v"'')V‘, 
W2.1 = (gw’fYwf, IT2.2 = (>^2*)^^?’ ^ 2,3 = (w'^s)''rv ^2 ^ . 
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MS.\eri{y{o,M,PK): This algorithm takes as input a signature a on a message M under a public key PK. 
It chooses a random exponent t €7jp and computes verification components as 

VlA=g\Vi,2 = {fy,Vi,3 = {g-y, 

V2.1 = {u^hy,V2,2 = {{u'')^h''y,V 2,3 = 

Next, it verifies fhaf flLi ^(^ 1,0 ^i,;)' IlLi ^(^^ 2 , 0 = D!. If fhis equation holds, fhen if oufpufs 
1. Ofherwise, if oufpufs 0. 

MS.Combine(a,M, PK): This algorifhm fakes as inpuf signafures a = (cJi,..., a/) on a message M under 
public keys PK = {PKi,... ,PKi) where PKi = fl,. If firsl checks fhe validify of each signafure a, = 
(VTj'j,... , 1^2 3 ) by calling MS.Verify(a,,M,P^,). If any signafure is invalid, fhen if halls. If fhen 
oufpufs a mulli-signalure for a message M as 


i i i 

MS= (5u=> *^1.2 = n^/,2> *^1,3 = 

^ (=1 i=i i=i 

I I I 

siA= *^ 2 , 2 = S2,3= 

i—\ 


MS.MultVerifyCMS'jM, PK): This algorifhm lakes as inpul a mulli-signalure MS on a message M under 
public keys PK = {PKi ,... ,PKi) where PKi = fl,. If chooses a random exponenl t ^'Lp and compules 
verificalion componenls as 

vi.i=iM/i,2 = (ry,vi,3 = (r7, 

V 2.1 = {u^hyy2.i = ^2.3 = {[u-^y^h-^y. 

Nexl, if verifies lhal OLi ' OLi ^(‘^ 2 , 0 '^,!)”^ = If this equation holds, fhen if 

oufpufs 1. Ofherwise, if oufpufs 0. 


5.3 Security Analysis 

Theorem 5.3. The above MS scheme is existentially unforgeable under a chosen message attack if the PKS2 
scheme is existentially unforgeable under a chosen message attack. That is, for any PPT adversary A for the 
above MS scheme, there exists a PPT algorithm B for the PKS2 scheme such that Adv^ {X) < Adv^^yk). 

Proof Suppose Ihere exisls an adversary A lhal forges fhe above MS scheme wilh a non-negligible advan- 
lagee. A simulator 0 lhal forges fhe PKS2 scheme is given: a challenge public key = ((/^,G,G,Gr,e), 
gWj®,..., A,0). Then 0 lhal inferacls wilh .4is described as follows: .6 firsl conslrucls PP = ((pjGjGjGpje), 
gWj®,... ,A) by computing A = e{gwy ,g)-e{w 2 ,g^)-e{w^s=e{g,g) andPP'* = O fromPP' pa: 5 . Nexl, 
if inilialize a cerlificalion lisl CL as an empty one and gives PP and PK* lo A. A may adaplively requesl 
cerlificalion queries or signafure queries. If A requesfs fhe cerlificalion of a public key by providing a public 
key PKi = Q.i and ils privale key SKi = a„ fhen B checks fhe key pair and adds {PKi,SKi) to CL. If A re- 
quesls a signafure by providing a message M lo sign under fhe challenge privale key of PK*, fhen B queries 
ils signing oracle lhal simulates PKS2.Sign on fhe message M for fhe challenge public key PK*, and gives 
fhe signafure lo A. Finally, A oufpufs a forged mulli-signalure MS* = (S'j j,..., ^2 3 ) on a message M* under 
public keys PK* = (PP'i,... ,PKi) for some 1. Wilhoul loss of generality, we assume lhal PK\ = PK*. B 
proceeds as follows: 
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1. B first check the validity of MS* by calling MS.MultVerify. Additionally, the forged signature should 
not be trivial: the challenge public key PK* must be in PK*, and the message M must not be queried 
by A to the signing oracle. 

2. For each 2 < / < Z, it parses PK; = fl, from PK*, and it retrieves the private key SK; = of PKj from 
CL. It then computes 

=Sli-Y\{g^-y'^ Wu2=S*i^2 , m.3=St,3, 

i=2 

W2,l=S*2j,W2,2=Sl2,W2,3=S*2^2- 

3. It outputs a = (VFi.i,... ,W 2 . 3 ) as a non-trivial forgery of the PKS scheme since it did not make a 
signing query on Mi. 

To finish the proof, we first show that the distribution of the simulation is correct. It is obvious that the 
public parameters, the public key, and the signatures are correctly distributed. Next we show that the output 
signature a = (VTij,... , 1 ^ 2 , 3 ) of the simulator is a valid signature for the PKS2 scheme on the message Mi 
under the public key PK* since it satisfies the following equation 

3 3 

Y[e{Wij,Vij)-l\e{W2,i,V2j)-^ 
i=l 1=1 

= f\<S*ij,Vu)-f\e{S*2„V2,i)-^ 

/—1 i—1 i—2 i—l i—2 

This completes our proof. □ 

5.4 Discussions 

Removing the Proof of Knowledge. In our MS scheme, an adversary should prove that he knows the 
private key of other signer by using a zero-knowledge proof system. Ristenpart and Yilek |[32]| showed that 
some MS schemes can be proven in the proof of possession (POP) setting instead of the POK setting. Our 
MS scheme also can be proven in the POP setting by using their technique. That is, if our MS scheme is 
incorporated with a POP scheme that uses a different hash function, and the adversary submits a signature 
on the private key of other signer as the proof of possession, then the security of our scheme is also achieved. 
In the security proof, a simulator cannot extract the private key element from the signature of the POP 
scheme, but he can extract other values g“wj ,>V 2 , and these values are enough for the security proof. 

6 Conclusion 

In this paper, we first proposed two PKS schemes with short public keys that support multi-users and public 
re-randomization based on the LW-IBE scheme. Next, we proposed two SAS schemes with short public 
keys without random oracles and with no relaxation of assumptions (i.e., employing neither random oracles 
nor interactive assumptions) based on our two PKS schemes. The proposed SAS schemes are the first of 
this kind that have short (a constant number of group elements) size public keys and a constant number of 
pairing operations per message in the verification algorithm. We also proposed an MS scheme with short 
public parameters based on our PKS scheme and proved its security without random oracles. 
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There are many interesting open problems. The first one is to construct an SAS scheme with short 
public keys that is secure under standard assumptions without random oracles. A possible approach is to 
build an SAS scheme based on the practical PKS scheme of Bohl et al. Q that is secure under the standard 
assumption. The second one is to build an SAS scheme with short public keys that supports lazy verification 
and has the constant size of aggregate signatures. Brogle et al. ifT^ proposed an SAS scheme with lazy 
verification, but the size of aggregate signatures in their SAS scheme is not constant. 
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A Lewko-Waters IBE 

In this section, we describe the IBE scheme of Eewko and Waters (EW-IBE) ll26l in prime order bilinear 

groups and the PKS scheme (EW-PKS) that is derived from the EW-IBE scheme. 
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A.l The LW-IBE Scheme 


The LW-IBE scheme in prime order bilinear groups is described as follows: 

IBE.Setup(l^) : This algorithm first generates the asymmetric bilinear groups G,(& of prime order p of 
bit size 0(A). It chooses random elements g G G and g,w € G. Next, it chooses random exponents 
G Zp and sets T = + V(^. It selects random exponents (X,x,y G Zp and sets u = g^,u = 

^,h = gy,h = g^,wi = w‘l’',W 2 = It outputs a master key MK = and public 

parameters as 

PP= {p,G,G,GT,e), g,g'',g^\ u,u'',u^’^, h,h^,h^\ fl = e(g,g)“ ^ 


IBE.GenKey(/D,MA'): This algorithm takes as input an identity ID G {0,1}^ where k < X and the master 
key MK. It selects random exponents r,ci,C2 G Zp and outputs a private key as 


SK,d = ( ^1,1 =g^{u^^hYw‘l\Kia = w^^\Ki^3=w'\ K2,i=g''wY,K2,2 = wY,K2,3 = w' 




IBE.EncryptCMj/DjEE): This algorithm takes as input a message M G Gj-, an identity ID, and the public 
parameters PP. It first chooses a random exponent t and outputs a ciphertext as 

cr = (c = c(g,g)“M, Cu = /,Ci,2 = (g'')^Cl,3 = 

C2,1 = {u'^hr,C2,2 = ((n'')®/^'')^C2,3 = 


IBE.Decrypt(Cr,SA7z))^^): This algorithm takes as input a ciphertext CT, a private key SK/d, and the 
public parameters PP. If the identities of the ciphertext and the private key are equal, then it computes 

3 3 

M = C -lleiCy^Ku)-^ ■lle{C2j,K2j). 

i=l i=l 


A.2 The LW-PKS Scheme 


To derive a LW-PKS scheme from the LW-IBE scheme, we apply the transformation of Naor |‘91. Addition¬ 
ally, we represent the signature in G instead of G to reduce the size of signatures. The LW-PKS scheme in 
prime order bilinear groups is described as follows: 


PKS.KeyGen(l^) : This algorithm first generates the asymmetric bilinear groups G,G of prime order p of 
bit size 0(A). It chooses random elements g,w G G and g G G. Next, it chooses random exponents 
v,^i ,(/)2 G Zp and sets t = ^i + V(/) 2 . It selects random exponents a,x,y G Zp and sets u = g^,u = 
g^,h = g^,h = g^,w\ = w^^,W 2 = w^. It outputs a private key SK = {a,g,u,h) and a public key as 


PK= ( (p,G,G,G7’,c), wi,W2,w, g,g'',g 


-'X ^ -^V 

^ u^u 


h;h\h-\a=e{g,gr). 


PKS.SignCMjS'K): This algorithm takes as input a message M G {0,1}^ where k <X and a private key SK. 
It selects random exponents r,ci,C2 G Zp and outputs a signature as 

= ( W^l,l = g^{u^hyw\',Wy2 = W2‘ , Wi,3 = , 1^2,1 = g'^wf, 1^2,2 = 1^2,3 = ) . 
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PKS.Verify(a,M,P^): This algorithm takes as input a signature a on a message M G {0,1}^ under a puhlie 
key PK. It first ehooses a random exponent t G Zp and eomputes verifieation eomponents as 

vi.i=iM/i,2 = (ry,vi,3 = (r7, 

T 2.1 = {u^hy,V2,2 = {{ii^fh^y,V2,3 = 

Next, it verifies fhaf flLi ^(^ 1,0 ^i,;)' IlLi If this equation holds, then it outputs 

1. Otherwise, it outputs 0. 

We ean safely move the elements wi,h' 2 ,h' from the private key to the puhlie key sinee these elements 
are always eonstrueted in the seeurity proof of the LW-IBE seheme. However, this LW-PKS seheme does 
not support multi-user setting and puhlie re-randomization sinee the elements g,u,h are not given in the 
puhlie key. 
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